Suspicious
Unsigned installer showing process-injection and LSASS activity flagged by one low-trust engine.
7a2be93276d1d19142…cf1908c457The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file is an unsigned Windows installer with medium prevalence. Engines show only a single low-trust detection and zero tier-1 malicious flags. Sandbox reports offensive MITRE techniques T1055 and T1134 plus two synthesis heuristics for injection and credential-dumping behaviour. Similar-hash RAG returns one safe verdict on an imphash match that lacks signer correlation. The combination of unsigned status, suspicious runtime activity, and lack of strong malicious consensus places the sample in mixed-signals territory.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 1/69 malicious (APEX low_trust), tier1Malicious=0, onlyLowTrustFlagging=true
behaviour.offensiveTechniques: T1055, T1134; triggeredHeuristics: MalwareTips.Synth.ProcessInjection (high), MalwareTips.Synth.CredentialDumper (medium)
signing.verified=false, prevalence.classification=medium, similarHashes[0].verdict=safe (imphash match)
droppedChildren.hasMaliciousChild=false, externalIntel no hits, behaviour.hasMaliciousSandboxVerdict=false
- Zero tier-1 malicious detections
- No malicious dropped children
- No malicious contacted hosts
- Medium prevalence with 6 submitters
- Unsigned binary
- Sandbox observed T1055 process injection
- Sandbox observed LSASS access (T1134)
- High-severity synthesis heuristic fired
Treat as suspicious pending further verification; do not execute on production systems without sandboxing.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Users\<USER>\AppData\Local\Temp\is-92UUN.tmp\ndowsConsolidated-2026-06-27-9cf9ddf-Windows-64bit-setup.tmp
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-PFBTO.tmp\AirwindowsConsolidated-2026-06-27-9cf9ddf-Windows-64bit-setup.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-1PP91.tmp\_isetup\_setup64.tmp
- C:\Users\user\AppData\Local\Programs
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Files this sample writes at runtime
This file drops 2 children at runtime. None are currently flagged malicious in our cache.
- 3badd233a5a6cc372e7e…1f1850Never scannednever seen before
- 388a796580234efc95f3…136f95Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
1 detection across 73 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- AirwindowsConsolidated-2026-06-27-9cf9ddf-Windows-64bit-setup.exe
- Size
- 10.28 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 7a2be93276d1d191429eabb82c1fd99b0f4955904941a911dee3f6cf1908c457
- MD5
- 6ffcb9a0238e86427428e97569981fca
- SHA-1
- e7c08eec92472ab1dbdb9d1e92c09d5441dfff55
- PE imphash
- e569e6f445d32ba23766ad67d1e3787f
- First seen (VT)
- 6/28/2026, 2:31:55 AM
- Last analysis (VT)
- 7/7/2026, 12:32:26 PM
- First scan (MalwareTips)
- 7/7/2026, 12:22:21 PM
- Last scan (MalwareTips)
- 7/8/2026, 12:50:56 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.