Suspicious
Unsigned gaming mouse driver installer with LSASS-access heuristic flag but zero tier-1 detections and broad historical prevalence.
805355ac97bcdfe0f3…37c8da56f0The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file presents a mixed-signal profile. On one hand, zero malicious detections across 64 engines, including all major tier-1 vendors (Kaspersky, Microsoft, BitDefender, ESET, Avira, Fortinet), and a common-old prevalence classification (248 submissions over a year) suggest an established, widely-distributed commodity product. On the other hand, the sandbox heuristic 'MalwareTips.Synth.CredentialDumper' flagged LSASS process access, which is a genuine red flag for credential-theft malware like Mimikatz. The file is unsigned, so no signer reputation can vouch for it. The 8 dropped children remain unverified. This combination — legitimate-looking prevalence + tier-1 silence + suspicious LSASS behaviour — does not fit a clean profile cleanly, nor does it fit a confirmed-malicious profile. It sits in the suspicious zone pending deeper analysis of the dropped children or signer verification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0/64 malicious; tier1Malicious=0; 17 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET, Avira, Fortinet, etc.) all silent
prevalence.classification=common_old: 219 unique submitters, 248 submissions over 360 days — established distribution pattern
triggeredHeuristics: MalwareTips.Synth.CredentialDumper fired (LSASS access detected) but no tier-1 consensus, no malicious sandbox verdict, no malicious children
behaviour: 3 offensive MITRE techniques (T1485, T1548, T1562.001) but 8 ambient techniques; 8 dropped children all unknown verdict; no contacted malicious hosts
signing.verified=false; no signer history; no external intel hits (CIRCL, MalwareBazaar, YARAify all negative)
- Zero malicious detections across 64 engines; 17 tier-1 engines all silent
- Common-old prevalence: 248 submissions over 360 days from 219 sources — established distribution
- No malicious sandbox verdict recorded; no malicious contacted hosts
- No brand mismatch, no adversarial input flags
- Unsigned executable — no publisher identity or reputation backing
- Sandbox heuristic flagged LSASS memory access (credential-dumping pattern)
- Dropped 8 child files with unverified verdicts
- Offensive MITRE techniques observed (T1485, T1548, T1562.001)
- No external intelligence corroboration (CIRCL, MalwareBazaar, YARAify all negative)
Treat this file as suspicious pending further verification. If you obtained it from the official inphic website or a trusted distributor, the broad tier-1 clean coverage suggests it is likely benign; however, the LSASS heuristic and unsigned status mean you should verify the source and consider isolating execution. If you received it from an untrusted source, do not execute it.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Users\<USER>\AppData\Local\Temp\is-6AG8G.tmp\inphic V1.1.3.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-89Q4L.tmp\_isetup\_setup64.tmp
- C:\Program Files (x86)\inphic driver\DuiLib.dll
- C:\Program Files (x86)\inphic driver\libcurl.dll
- C:\Program Files (x86)\inphic driver\fftw3f.dll
- C:\Program Files (x86)\inphic driver\is-4KJRO.tmp
- C:\Program Files (x86)\inphic driver\is-TDD9D.tmp
- C:\Program Files (x86)\inphic driver\is-7PGGT.tmp
- C:\Program Files (x86)\inphic driver\is-VHT6M.tmp
- C:\Program Files (x86)\inphic driver\is-QFJ4T.tmp
- {AppId}Installer
- Global\{AppId}Installer
- InstatSetup
- cversions.3.m
- CIST_GMouseApp_New825
Files this sample writes at runtime
This file drops 8 children at runtime. None are currently flagged malicious in our cache.
- 74d22cc7e55ef38c6f2f…add683Never scannednever seen before
- e0eee97b19cf29cef3ba…7e5e41Never scannednever seen before
- 3523eef0c9b311cba267…23b12dNever scannednever seen before
- b0b57c8b06199dbebc74…cc6474Never scannednever seen before
- 4c71d9c4e6f282455615…d5eb43Never scannednever seen before
- 388a796580234efc95f3…136f95Never scannednever seen before
- db6ddd499a9ad954a422…ca5535Never scannednever seen before
- 6ee14e85a47d1d7508c9…df3ee7Never scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
0 detections across 75 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- inphic_V1.1.3.rar
- Size
- 5.60 MB
- MIME type
- (unknown)
- Detected type
- RAR
- SHA-256
- 805355ac97bcdfe0f3242c49e87fe84f1d466a925936bf6506132437c8da56f0
- MD5
- f1665491705a7aa41f1d448e2d940c67
- SHA-1
- 9fe5d5ec0fbf5544da260fcc6536f2254eff96dc
- First seen (VT)
- 7/15/2025, 6:03:32 AM
- Last analysis (VT)
- 6/15/2026, 12:08:21 AM
- First scan (MalwareTips)
- 7/10/2026, 10:46:43 AM
- Last scan (MalwareTips)
- 7/10/2026, 10:46:43 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.