File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: Setup.exe
Rating: 2.5
Author: MalwareTips File Scanner

Unsigned installer with process injection and direct-IP contact flagged by heuristics; tier-1 engines silent; community analysis conflicted.

Trust score52Caution

MT AI confidence · 62%

Setup.exe

102.0 KB

7123e1514b939b1659…fd2888d4ab

Antivirus engines

0 of 74 flagged

Code signing

Unsigned

Age

First seen 3y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence

Moderate

Reasoning

The evidence presents a mixed picture. On one hand, the file is unsigned, exhibits 7 offensive MITRE techniques (process injection, process hollowing, persistence, reflective code loading), contacted 15 external IPs with zero DNS queries, and matched 4 community YARA rules including one for ransomware. On the other hand, zero tier-1 engine detections, 17 tier-1 clean reports, and independent FileScan.IO 'NO_THREAT' verdicts (3 reports, 100% confidence) strongly suggest a false-positive cascade or a legitimate but aggressive installer. The common_old prevalence classification and high submission volume indicate this is a known sample. Community comments are conflicted: some claim malware, others cite game distribution and VM detection. Without tier-1 consensus or confirmed malicious dropped children, the heuristic signals alone do not justify a malicious verdict.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET, Fortinet, Emsisoft, Ikarus, F-Secure, GData, DrWeb, Avira, AVG) — no tier-1 consensus on malware.
yaraify.ruleCount=4 including 'VECT_Ransomware' and 'HUNTING_SUSP_TLS_SECTION' — community researcher corroboration of suspicious patterns, but no named family consensus.
behaviour.offensiveTechniques=[T1055, T1134, T1134.004, T1547.001, T1560.002, T1562.001, T1620]; contactedIps=15 external IPs, contactedDomains=0 — direct-IP C2 pattern flagged by triggeredHeuristics.DirectIpC2.
prevalence.classification=common_old (88,344 submissions, 3,662 sources); reputation=-58 — high volume suggests known sample, but negative reputation is ambiguous (could be PUA, installer, or false-positive cascade).
communityComments: FileScan.IO reports 'NO_THREAT' (3x, 100% confidence); user reports conflicting ('virus', 'game malware', 'MrBeast'); signing.verified=false, unsigned — no publisher anchor to disambiguate.

Points in its favour

Zero tier-1 engine detections — all 17 major AV engines (Avast, BitDefender, Kaspersky, ESET, Fortinet, etc.) report clean or undetected.
FileScan.IO 'NO_THREAT' verdict (3 independent reports, 100% confidence) — independent third-party analysis contradicts malware claims.
No malicious dropped children — 10 inspected children all unverdicted; no downstream malicious artefacts confirmed.
No malicious contacted hosts — contacted IPs do not match our malicious URL cache.
Common_old prevalence — high submission volume and age (1003 days) suggest a known, stable sample rather than novel threat.

Points against

Unsigned executable — no publisher identity or trust anchor.
Process injection (T1055) and process hollowing (T1134) — techniques used by both malware and legitimate software for anti-tampering.
Direct-IP contact (15 IPs, zero domains) — bypasses DNS-based reputation systems; flagged as C2 evasion pattern.
Community YARA rule matches including 'VECT_Ransomware' — suggests code patterns shared with ransomware, but no tier-1 engine consensus.
Negative reputation score (-58) — indicates prior flagging by heuristic engines or user reports.
High submission volume (88k+) — suggests known sample, but ambiguous whether benign or malware.

What to do

Do not execute this file unless you can verify its source and purpose. If it is a game or installer, obtain it directly from the official publisher and verify the publisher's digital signature. If you must test it, use a sandboxed or virtual environment. Consider the context: the absence of tier-1 engine consensus and independent 'NO_THREAT' analysis suggest a false-positive cascade on a legitimate but aggressive installer, but the unsigned status and heuristic signals warrant caution.

Threat family attribution

golang bin JCorn CSC846 corroborated by 1 source

4 YARA rules
golang_bin_JCorn_CSC846, HUNTING_SUSP_TLS_SECTION, pe_detect_tls_callbacks

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1018T1027T1027.002T1033T1045T1047T1053.005T1055T1056.001T1057T1059T1063T1071T1082T1083T1087T1112T1113T1129T1134T1134.004T1140T1222+12 more

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\software.exe"

$(unnamed)

C:\Windows\system32\WerFault.exe -u -p 7052 -s 456

$(unnamed)

%SAMPLEPATH%\7123e1514b939b165985560057fe3c761440a9fff9783a3b84e861fd2888d4ab.exe

$(unnamed)

C:\Windows\System32\WerFault.exe

$(unnamed)

C:\Windows\System32\wuapihost.exe

$(unnamed)

C:\Program Files (x86)\Google3960_1095265391\bin\updater.exe

$(unnamed)

C:\Program Files (x86)\Google2228_1082593304\bin\updater.exe

$(unnamed)

C:\Program Files (x86)\Google476_1862544417\bin\updater.exe

+7 more processes captured.

Network activity

IP addresses20

23.216.147.73
20.99.186.246
192.229.211.108
20.99.133.109
23.216.147.64
a83f:8110:0:0:a8ef:0:0:0
23.216.147.61
104.86.182.74
23.216.147.71
a83f:8110:0:0:1400:1400:2800:3800

+10 more

Filesystem & mutexes

Files written15

C:\ProgramData\Microsoft\Windows\WER\Temp
C:\ProgramData\Microsoft\Windows\WER\Temp\d8d75f25-92c6-4dd1-818b-347eff18d8c8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\ProgramData\Microsoft\Windows\WER\Temp\c51be930-c9cd-4efe-b5ff-fa475d9c1135
C:\ProgramData\Microsoft\Windows\WER\ReportArchive

+10 more

Files deleted15

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC97A.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD12B.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD301.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC97A.tmp.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD12B.tmp.WERInternalMetadata.xml

+10 more

Mutexes created10

Local\WERReportingForProcess7052
Global\AmiProviderMutex_InventoryApplicationFile
Global\1fda8955-005d-461d-bb30-a60e634d4bec
\Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7212
\Sessions\1\BaseNamedObjects\Global\AmiProviderMutex_InventoryApplicationFile

+5 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

a81475c9d68ada14e673…5c2366Never scanned
never seen before
ddcb4772b3d99acc8f8a…e933a3Never scanned
never seen before
3aad9ef6e785e1f073b2…a4e5faNever scanned
never seen before
2581ff8d21062c692644…fec3f4Never scanned
never seen before
0cf259512a8163cca6aa…3adca7Never scanned
never seen before
905d9f014d7de681a0f0…bc45f5Never scanned
never seen before
a755d76dec60f7507a1a…54b69dNever scanned
never seen before
2095341574abd0901e75…627e0cNever scanned
never seen before
6523687811e294539002…ee17fcNever scanned
never seen before
5a6381509182edae1f03…5b0b78Never scanned
never seen before

External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·4 community rules matchedView on YARAify

golang_bin_JCorn_CSC846by Justin Cornwell
CSC-846 Golang detection ruleset
HUNTING_SUSP_TLS_SECTIONby chaosphere
Detect PE files with .tls section that can be used for anti-debugging
pe_detect_tls_callbacks
VECT_Ransomwareby Mustafa Bakhit
Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

4 YARAify2 synthesis

MITRE ATT&CK profile

Defense evasion× 1C2× 1

YARAify (community)

Researcher-authored rules via abuse.ch

golang_bin_JCorn_CSC846
HUNTING_SUSP_TLS_SECTION
pe_detect_tls_callbacks
VECT_Ransomware

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
"C:\Users\<USER>\Desktop\software.exe"
DirectIpC2
T1071
medium
Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
23.216.147.73 · 20.99.186.246 · 192.229.211.108

Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-237 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 74 engines report this file as clean.

Hash 7123e1514b93… cross-referenced against 74 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy7 sections

.text

5.78

.rdata

4.35

.buildid

0.60

.data

1.43

.pdata

3.12

.tls

0.00

.rsrc

7.72

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

3,662

Hundreds of people have uploaded this — common.

Total submissions

88,344

Includes repeat uploads by the same source.

First seen by VT

3y ago

Sep 18, 2023

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

9/18/2023, 11:52:17 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/17/2026, 5:57:49 PM

Scanned here

6/17/2026, 9:55:06 PM

File name: Setup.exe
Size: 102.0 KB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 7123e1514b939b165985560057fe3c761440a9fff9783a3b84e861fd2888d4ab
MD5: 0323998e0e85eca5fd90d9f8ecbbd6c2
SHA-1: 56dc080f728d7a276495d6a4371670f9ea71519b
PE imphash: a9563ca2ee659a9314820bead4ec962b
First seen (VT): 9/18/2023, 11:52:17 PM
Last analysis (VT): 6/17/2026, 5:57:49 PM
First scan (MalwareTips): 6/17/2026, 9:55:06 PM
Last scan (MalwareTips): 6/17/2026, 9:55:06 PM
Community reputation: -58flagged

Behavior tags

64bitsdetect-debug-environmentpeexe

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.