File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned gaming mouse driver installer with LSASS-access heuristic flag but zero tier-1 detections and broad historical prevalence.

Trust score52Caution
inphic_V1.1.3.rar
5.6 MB
805355ac97bcdfe0f337c8da56f0
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 12mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence
Moderate
Reasoning

The file presents a mixed-signal profile. On one hand, zero malicious detections across 64 engines, including all major tier-1 vendors (Kaspersky, Microsoft, BitDefender, ESET, Avira, Fortinet), and a common-old prevalence classification (248 submissions over a year) suggest an established, widely-distributed commodity product. On the other hand, the sandbox heuristic 'MalwareTips.Synth.CredentialDumper' flagged LSASS process access, which is a genuine red flag for credential-theft malware like Mimikatz. The file is unsigned, so no signer reputation can vouch for it. The 8 dropped children remain unverified. This combination — legitimate-looking prevalence + tier-1 silence + suspicious LSASS behaviour — does not fit a clean profile cleanly, nor does it fit a confirmed-malicious profile. It sits in the suspicious zone pending deeper analysis of the dropped children or signer verification.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/64 malicious; tier1Malicious=0; 17 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET, Avira, Fortinet, etc.) all silent

  2. prevalence.classification=common_old: 219 unique submitters, 248 submissions over 360 days — established distribution pattern

  3. triggeredHeuristics: MalwareTips.Synth.CredentialDumper fired (LSASS access detected) but no tier-1 consensus, no malicious sandbox verdict, no malicious children

  4. behaviour: 3 offensive MITRE techniques (T1485, T1548, T1562.001) but 8 ambient techniques; 8 dropped children all unknown verdict; no contacted malicious hosts

  5. signing.verified=false; no signer history; no external intel hits (CIRCL, MalwareBazaar, YARAify all negative)

Points in its favour
  • Zero malicious detections across 64 engines; 17 tier-1 engines all silent
  • Common-old prevalence: 248 submissions over 360 days from 219 sources — established distribution
  • No malicious sandbox verdict recorded; no malicious contacted hosts
  • No brand mismatch, no adversarial input flags
Points against
  • Unsigned executable — no publisher identity or reputation backing
  • Sandbox heuristic flagged LSASS memory access (credential-dumping pattern)
  • Dropped 8 child files with unverified verdicts
  • Offensive MITRE techniques observed (T1485, T1548, T1562.001)
  • No external intelligence corroboration (CIRCL, MalwareBazaar, YARAify all negative)
What to do

Treat this file as suspicious pending further verification. If you obtained it from the official inphic website or a trusted distributor, the broad tier-1 clean coverage suggests it is likely benign; however, the LSASS heuristic and unsigned status mean you should verify the source and consider isolating execution. If you received it from an untrusted source, do not execute it.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
11

Adversary techniques mapped to the MITRE ATT&CK framework.

T1033T1036T1070T1071T1082T1112T1129T1485T1497T1548T1562.001
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\inphic V1.1.3.exe"
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\is-6AG8G.tmp\inphic V1.1.3.tmp" /SL5="$200EC,5482117,197120,C:\Users\<USER>\AppData\Local\Temp\inphic V1.1.3.exe"
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
"C:\Program Files (x86)\inphic driver\GAMINGMOUSE.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
+7 more processes captured.
Filesystem & mutexes
40
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\is-6AG8G.tmp\inphic V1.1.3.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-89Q4L.tmp\_isetup\_setup64.tmp
  • C:\Program Files (x86)\inphic driver\DuiLib.dll
  • C:\Program Files (x86)\inphic driver\libcurl.dll
  • C:\Program Files (x86)\inphic driver\fftw3f.dll
+10 more
Files deleted15
  • C:\Program Files (x86)\inphic driver\is-4KJRO.tmp
  • C:\Program Files (x86)\inphic driver\is-TDD9D.tmp
  • C:\Program Files (x86)\inphic driver\is-7PGGT.tmp
  • C:\Program Files (x86)\inphic driver\is-VHT6M.tmp
  • C:\Program Files (x86)\inphic driver\is-QFJ4T.tmp
+10 more
Mutexes created10
  • {AppId}Installer
  • Global\{AppId}Installer
  • InstatSetup
  • cversions.3.m
  • CIST_GMouseApp_New825
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 8 children at runtime. None are currently flagged malicious in our cache.

8 unseen
  • 74d22cc7e55ef38c6f2fadd683Never scanned
    never seen before
  • e0eee97b19cf29cef3ba7e5e41Never scanned
    never seen before
  • 3523eef0c9b311cba26723b12dNever scanned
    never seen before
  • b0b57c8b06199dbebc74cc6474Never scanned
    never seen before
  • 4c71d9c4e6f282455615d5eb43Never scanned
    never seen before
  • 388a796580234efc95f3136f95Never scanned
    never seen before
  • db6ddd499a9ad954a422ca5535Never scanned
    never seen before
  • 6ee14e85a47d1d7508c9df3ee7Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
Cred access× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-241 engines
0flag
Mainstream engines with mixed FP rates
Low-trust17 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 805355ac97bc… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
219
Hundreds of people have uploaded this — common.
Total submissions
248
Includes repeat uploads by the same source.
First seen by VT
12mo ago
Jul 15, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
7/15/2025, 6:03:32 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/15/2026, 12:08:21 AM
Scanned here
7/10/2026, 10:46:43 AM
File name
inphic_V1.1.3.rar
Size
5.60 MB
MIME type
(unknown)
Detected type
RAR
SHA-256
805355ac97bcdfe0f3242c49e87fe84f1d466a925936bf6506132437c8da56f0
MD5
f1665491705a7aa41f1d448e2d940c67
SHA-1
9fe5d5ec0fbf5544da260fcc6536f2254eff96dc
First seen (VT)
7/15/2025, 6:03:32 AM
Last analysis (VT)
6/15/2026, 12:08:21 AM
First scan (MalwareTips)
7/10/2026, 10:46:43 AM
Last scan (MalwareTips)
7/10/2026, 10:46:43 AM
Behavior tags
rardetect-debug-environmentlong-sleeps
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.