Suspicious
Unsigned installer with direct-IP contacts and one low-trust detection but no tier-1 consensus or malicious children.
8b660bf952fc2b40f0…92b426a2cdThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The engine profile is dominated by a single low-trust detection with zero tier-1 malicious flags, which normally points toward false positive. However, the sandbox behaviour includes direct-IP contact to seven addresses and two MITRE techniques commonly associated with privilege escalation and persistence. The file is unsigned, rare, and carries an installer hint but lacks any corroborating malicious family or external-intel hits. These conflicting signals prevent a clean safe or malicious determination.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.onlyLowTrustFlagging=true with 1/75 malicious (Bkav 'W32.AIDetectMalware')
triggeredHeuristics[0].rule=MalwareTips.Synth.DirectIpC2 (7 direct IPs, 0 domains)
behaviour.offensiveTechniques=[T1134, T1547.001]
prevalence.classification=rare_old; signing.signed=false
similarHashes.length=0; externalIntel.yaraify.ruleCount=0
- 74/75 engines clean
- No tier-1 malicious detections
- No malicious sandbox verdict
- No malicious dropped children
- Unsigned binary
- Direct-IP network contacts without domains
- Offensive MITRE techniques observed
- Rare prevalence (only 2 submitters)
Treat as suspicious pending further verification; do not execute on production systems without additional vetting or a trusted source.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 204.79.197.203
- 52.154.209.174
- 23.216.81.152
- 20.99.185.48
- 23.59.198.43
- 20.99.186.246
- 151.101.22.172
- C:\Users\<USER>\AppData\Local\Temp\is-DQL87.tmp\ABPM_F__V5.5.5_Setup.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-2M8NS.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-2M8NS.tmp\_isetup\_shfoldr.dll
- C:\Program Files (x86)\ABPM\ABPM.exe
- C:\Program Files (x86)\ABPM\DllConv.dll
- C:\Program Files (x86)\ABPM\is-R0VB4.tmp
- C:\Program Files (x86)\ABPM\is-F8R2H.tmp
- C:\Program Files (x86)\ABPM\is-FB3BS.tmp
- C:\Program Files (x86)\ABPM\is-BP8VR.tmp
- C:\Program Files (x86)\ABPM\is-RRPTS.tmp
- Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- cversions.3.m
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- cf8a77f4cbd38f6ab44f…7adff5Never scannednever seen before
- 13f9d708533850c1348b…aadaccNever scannednever seen before
- 2e50b1f56fc0c74c255c…5a17b7Never scannednever seen before
- 7fca853e4a1cd0485402…6d3e31Never scannednever seen before
- 63595ed08fd452ea571a…a1fee0Never scannednever seen before
- 45370e81519db719413a…3c40abNever scannednever seen before
- 78755fb8c2cd1db5f344…01634dNever scannednever seen before
- 71b35dabb51f1cda0aa6…70540dNever scannednever seen before
- b6ecc658fa0b1d787afa…6da675Never scannednever seen before
- 02011fa7fa11447cd752…fbbd50Never scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 7 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence204.79.197.203 · 52.154.209.174 · 23.216.81.152
1 detection across 79 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Rarely uploaded, but has been around for a while. Often niche legitimate software or old internal tooling; not a strong malware signal on its own.
Forensic fingerprint
- File name
- ABPM(F)_V5.5.5_Setup.exe
- Size
- 21.83 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 8b660bf952fc2b40f05e60f324837645cd8f9a0be177e6e198110792b426a2cd
- MD5
- 9acd1e318d199ffff4d8b04de3e34fd5
- SHA-1
- ea9601b5edb4859eb743756938dca80393e75a7c
- PE imphash
- 48aa5c8931746a9655524f67b25a47ef
- First seen (VT)
- 8/13/2024, 1:50:01 PM
- Last analysis (VT)
- 8/13/2024, 1:50:01 PM
- First scan (MalwareTips)
- 7/9/2026, 5:57:40 AM
- Last scan (MalwareTips)
- 7/9/2026, 5:57:40 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.