Suspicious
Unsigned installer with tier-2 PUA detections and process-injection heuristics; imphash matches known bundler stubs, but no tier-1 consensus and legitimate software name suggest installer-stage false positives.
8b551e5f2a643cde86…76506291c0The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file exhibits a mixed-signal profile. Tier-2 engines (Skyhigh, TrellixENS) flag 'Artemis', a known PUA/adware family, and heuristics detected process injection and credential-store access. However, tier-1 engines are unanimously silent (17/17 clean), and only 5 of 71 engines report malicious. The imphash (88016fcdef7f227c62171d0afad9aae4) matches 4 prior verdicts on the same stub: 3 'malicious' (OfferCore PUA, Softonic-signed) and 1 'safe' (AV-on-AV FP). The filename 'MPC.exe' and sandbox process chain ('MPC-BE.1.9.0.x64.exe') match a legitimate open-source media player. Sandbox behaviour shows installer unpacking and system process spawning, which is typical for installers, not malware. The absence of malicious sandbox verdict, malicious children, or malicious host contact further suggests this is a bundled installer (PUA risk) rather than active malware. Confidence is moderate due to the process-injection heuristic and tier-2 PUA detections, warranting a 'suspicious' rating rather than 'safe'.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 5/71 malicious; tier1Malicious=0; tier1FamilyConsensus.strong=false — no tier-1 consensus
Skyhigh + TrellixENS (tier-2) both flag 'Artemis' (PUA/adware family), but low-trust engines (APEX, DeepInstinct, Rising) contribute 3/5 flags
similarHashes: 4/5 prior verdicts on imphash=88016fcdef7f227c62171d0afad9aae4 are 'malicious' (OfferCore PUA); 1 is 'safe' (AV-on-AV FP) — reused installer stub pattern
behaviour: T1055 + LSASS access heuristics fired; sandbox shows MPC-BE installer unpacking + system process spawning — consistent with legitimate installer, not malware C2
signing.verified=false, unsigned; prevalence=medium (62 submitters, 120 submissions); no malicious sandbox verdict, no malicious children, no malicious hosts contacted
- All 17 tier-1 antivirus engines silent — no consensus malware detection
- 66 of 71 engines undetected — low overall detection rate
- No malicious sandbox verdict recorded — runtime behaviour not flagged as active malware
- No malicious dropped children or contacted hosts — no C2 or payload-delivery indicators
- Filename and sandbox process chain match legitimate MPC-BE media player
- Unsigned executable — no publisher identity or code-signing verification
- Process injection (T1055) heuristic fired — potential credential-dumping or process-hollowing technique
- LSASS access detected — credential-store interaction flagged by heuristics
- Tier-2 PUA/adware detections (Artemis family) — bundled unwanted software risk
- Imphash matches known bundler stubs (OfferCore) — reused installer infrastructure
Treat this file as a potentially bundled installer (PUA/adware risk) rather than malware. If obtained from an official source, execution risk is low; if from a third-party bundler, download the software directly from the vendor's official site instead. Monitor post-execution for unwanted software or browser modifications.
Artemis corroborated by 1 source
- MT AI EngineArtemis
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Users\<USER>\AppData\Local\Temp\is-9EHZD2IJ3T.tmp\MPC-BE.1.9.0.x64.tmp
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-20TO003R8T.tmp\MPC-BE.1.9.0.x64.tmp
- C:\Users\user\AppData\Local\Temp\is-C27OAE9SDP.tmp
- C:\Users\user\AppData\Local\Temp\is-C27OAE9SDP.tmp\MPC-BE.1.9.0.x64.tmp
Files this sample writes at runtime
This file drops 1 child at runtime. None are currently flagged malicious in our cache.
- 267ba278e6e233b71d45…731d49Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
5 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- MPC.exe
- Size
- 19.44 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 8b551e5f2a643cde8634dd1371274e6b5fbd6d31a2a3d5ce79f50f76506291c0
- MD5
- 093a2d7648108573455a6a60e5f4105c
- SHA-1
- ddd6782abedb17338eb4ebef79f6ed6dc162fe70
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 6/27/2026, 1:59:24 AM
- Last analysis (VT)
- 6/28/2026, 6:08:50 AM
- First scan (MalwareTips)
- 6/28/2026, 6:15:10 AM
- Last scan (MalwareTips)
- 6/28/2026, 6:15:10 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.