File verdict·Decided by the MT AI Engine

Our call

Malicious

Item: setup.exe
Rating: 1
Author: MalwareTips File Scanner

Unsigned installer flagged by tier-1 engine for PSEB family; sandbox observed process injection, credential dumping, and direct-IP C2 contact.

pseb

Trust score18High risk

MT AI confidence · 72%

setup.exe

8.5 MB

9b7c34eefa6dc1db16…12931d6edf

Antivirus engines

4 of 75 flagged

Code signing

Unsigned

Age

First seen 2mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

72%Confidence

High

Reasoning

This unsigned setup.exe is flagged by GData (tier-1) as Generic.Trojan.PSEB.WTN8JB, establishing a named family detection with tier-1 authority. While only 1 of 17 tier-1 engines flagged it malicious, the remaining tier-1 engines' silence does not contradict the detection — they may lack PSEB signatures. The sandbox behaviour is unambiguous: process injection into Explorer.exe (T1055), credential dumping from LSASS (Mimikatz-shape), and direct-IP C2 to two external IPs with zero DNS queries. These are not installer false positives; they are offensive techniques used by malware to evade detection and steal credentials. Malwarebytes' 'RiskWare.Crack' label suggests cracking/keygen tooling, which is classified as malware under most policies. The file's medium prevalence (92 submissions) and lack of external intel hits do not override the tier-1 family detection and sandbox-observed offensive behaviour.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

GData (tier-1) flags 'Generic.Trojan.PSEB.WTN8JB' — named family PSEB with tier-1 authority
Malwarebytes (tier-2) flags 'RiskWare.Crack' with adwarePua=true — cracking/keygen tooling
triggeredHeuristics: Process Injection (T1055) into Explorer.exe (high severity), LSASS credential dumping (Mimikatz-shape, medium), Direct-IP C2 to 184.28.3.247 and 162.159.36.2 with zero DNS (medium)
Unsigned, no signer history, no brand mismatch — no legitimate publisher backing
Contacted URLs are legitimate Microsoft redistributables; dropped children (10) all unknown verdict; no malicious hosts in our cache — but offensive behaviour is unambiguous

Points in its favour

Contacted URLs are legitimate Microsoft Visual C++ redistributable endpoints (aka.ms/vs/17/release/vc_redist.*)
Dropped children (10 inspected) show no malicious verdicts in our cache
No malicious or suspicious hosts in our URL cache cross-reference
No external intel hits (CIRCL, YARAify) — though absence of researcher corroboration does not override tier-1 detection

Points against

Tier-1 engine (GData) identifies named malware family PSEB
Process injection into legitimate process (Explorer.exe) to evade detection
LSASS credential dumping (Mimikatz-like behaviour) — credential theft risk
Direct-IP C2 communication bypassing DNS reputation systems
Privilege escalation attempt (T1548)
Data destruction techniques observed (T1485)

What to do

Block and quarantine this file immediately. The tier-1 family detection (PSEB) combined with sandbox-observed process injection, credential dumping, and direct-IP C2 communication confirms malicious intent. If executed, assume credential compromise and initiate incident response.

Threat family attribution

crack corroborated by 2 sources

VT (75 engines)
crack
MT AI Engine
pseb

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1036T1055T1059T1070T1071T1082T1083T1129T1134T1202T1485T1497T1497.001T1529T1548T1573T1614T1614.001

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\setup.exe"

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\is-6IOSJ.tmp\setup.tmp" /SL5="$501A6,8320176,140800,C:\Users\<USER>\Desktop\setup.exe"

$(unnamed)

C:\Windows\Explorer.EXE

$(unnamed)

"C:\Windows\system32\cmd.exe" /C C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\fnr.exe arc.ini fgrplc -1

$(unnamed)

C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\fnr.exe arc.ini fgrplc -1

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\FlushFileCache.exe"

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

"C:\Games\Jurassic World Evolution 3\unins000.exe" /VERYSILENT

+7 more processes captured.

Network activity

IP addresses2

184.28.3.247
162.159.36.2

URLs2

https://aka.ms/vs/17/release/vc_redist.x64.exe
https://aka.ms/vs/17/release/vc_redist.x86.exe

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\is-6IOSJ.tmp\setup.tmp
C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\_isetup\_setup64.tmp
C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\_isetup\_shfoldr.dll
C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\idp.dll
C:\Users\<USER>\AppData\Local\Temp\is-BVSDD.tmp\innocallback.dll

+10 more

Files deleted15

C:\Games\Jurassic World Evolution 3\is-GRJG5.tmp
C:\Games\Jurassic World Evolution 3\_Redist\is-4C8R9.tmp
C:\Games\Jurassic World Evolution 3\_Redist\is-13551.tmp
C:\Games\Jurassic World Evolution 3\is-01IH4.tmp
C:\Games\Jurassic World Evolution 3\is-MOSLR.tmp

+10 more

Mutexes created5

Local\DirectSound DllMain mutex (0x00000E5C)
cversions.3.m
Local\Mutex238415d2de6d946f.automaticDestinations-ms
StartMenuPinListMutex
TaskbarPinListMutex

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

09af8004b85478e1eca0…47b449Never scanned
never seen before
f59eddcc9eaf545ead09…848dc5Never scanned
never seen before
493ed2a17bb27ae6a0f2…b6a661Never scanned
never seen before
d92f7c60256509f74e36…62ea29Never scanned
never seen before
58045dfbe8eb137de53d…94d65dNever scanned
never seen before
450b9b0ba25bf068afbc…fd0105Never scanned
never seen before
f84677643d9977aa1e8a…61f824Never scanned
never seen before
5491e20f601185a8bdb6…5c4b10Never scanned
never seen before
aa6b7213ecf2e90913af…985eefNever scanned
never seen before
148fa9a255bfff3f7d8a…9a3483Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis

MITRE ATT&CK profile

Defense evasion× 1Cred access× 1C2× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\Explorer.EXE
CredentialDumper
T1003 T1003.001
medium
Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
Evidence
C:\Windows\system32\lsass.exe
DirectIpC2
T1071
medium
Sample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
184.28.3.247 · 162.159.36.2

Antivirus engine breakdown

4 detections across 75 engines

4 malicious0 suspicious71 clean

Tier-117 engines

1flag

Top commercial AVs (low FP rate)

Tier-238 engines

1flag

Mainstream engines with mixed FP rates

Low-trust20 engines

2flag

Heuristic / generic-AI engines (high FP rate)

Bkav

malicious

W32.Malware.E1E06090

GData

malicious

Generic.Trojan.PSEB.WTN8JB

Malwarebytes

malicious

RiskWare.Crack

Paloalto

malicious

generic.ml

Hash 9b7c34eefa6d… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked

Section entropy8 sections

.text

6.48

.itext

6.02

.data

2.67

.bss

0.00

.idata

4.97

.tls

0.00

.rdata

0.19

.rsrc

4.16

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

Moderate upload volume.

Total submissions

Includes repeat uploads by the same source.

First seen by VT

2mo ago

Apr 27, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

4/27/2026, 2:29:27 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/9/2026, 12:03:19 AM

Scanned here

6/11/2026, 7:16:50 AM

File name: setup.exe
Size: 8.50 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 9b7c34eefa6dc1db16cd458326e532ddc393ef86c4dd09d41ea2b912931d6edf
MD5: 904c3511b42f55312406d0a08c11d058
SHA-1: d404e9e32cd73af06bf59522cd754f31b74e2559
PE imphash: 483f0c4259a9148c34961abbda6146c1
First seen (VT): 4/27/2026, 2:29:27 AM
Last analysis (VT): 6/9/2026, 12:03:19 AM
First scan (MalwareTips): 6/11/2026, 7:16:50 AM
Last scan (MalwareTips): 6/11/2026, 7:16:50 AM

Behavior tags

overlaypeexe

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.