Suspicious
Unsigned installer with offensive sandbox techniques (process injection, LSASS access) but zero tier-1 detections and no malicious sandbox verdict — mixed signals warrant caution.
de6a60745bc1023d15…71d2a85dacThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence presents a mixed picture. On one hand, zero tier-1 detections and no malicious sandbox consensus suggest the file is not actively flagged as malware by high-trust vendors. On the other hand, the sandbox observed offensive MITRE techniques — process injection into svchost.exe and LSASS memory access — which are typical of credential-stealing malware or offensive tools. The file is unsigned and lacks publisher reputation history, which increases uncertainty. The RAG history shows prior files with the same imphash were verdicted as suspicious or borderline, not safe or malicious, reinforcing the mixed-signals classification. The absence of contacted malicious hosts and dropped malicious children further suggests the file did not execute a full attack chain in the sandbox.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Avast, BitDefender, ESET, Kaspersky, Fortinet, Ikarus, Emsisoft, DrWeb, F-Secure, GData, Kaspersky, Avira, AVG) all undetected
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (T1055, CreateRemoteThread into svchost.exe) and MalwareTips.Synth.CredentialDumper (LSASS access) — offensive techniques present but no malicious sandbox verdict
similarHashes imphash match: 3/5 prior verdicts suspicious (ai:borderline_mixed_signals, ai:signed_but_unusual_behaviour×2); 1 safe (Microsoft-signed); 1 unknown — mixed history, no malicious consensus
signing.verified=false, unsigned; no signer history; filename 'PolarInstaller.exe' with hasInstallerHint=true — installer-shaped but unverified
behaviour.hasMaliciousSandboxVerdict=false; no malicious contacted hosts; no dropped malicious children — runtime behaviour did not trigger malicious consensus despite offensive techniques
- Zero tier-1 antivirus detections across 17 high-trust engines (Avast, BitDefender, ESET, Kaspersky, Fortinet, etc.)
- No malicious sandbox verdict issued despite offensive techniques observed
- No malicious contacted hosts or dropped malicious children
- Filename and metadata consistent with legitimate installer (hasInstallerHint=true, no brand mismatch)
- Process injection (T1055) into system process (svchost.exe) — typical of malware evasion
- LSASS credential-dumping activity (T1547.001, T1562.001) — hallmark of credential-stealing malware
- Unsigned executable — no publisher verification
- 1 day old, medium prevalence — could be newly-distributed malware or legitimate software not yet widely known
- Triggered heuristics for process injection and credential-dumper patterns
Do not execute this file unless you can verify its source and legitimacy directly with the publisher. If you received it from an untrusted source, delete it. If you believe it is legitimate, contact the publisher or run it in an isolated sandbox environment before allowing it on production systems.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
- C:\Users\user\AppData\Roaming
- \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
- \Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- PolarInstaller.exe
- Size
- 2.81 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- de6a60745bc1023d157bd72c0d80142a74826f7ad9c1f7d1cc1b0571d2a85dac
- MD5
- 7b4280b8c7b875e4574bcfca797d0741
- SHA-1
- c5724a55f8154b94ff0d6cf31cc52909db34cc07
- PE imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- First seen (VT)
- 6/8/2026, 5:36:08 PM
- Last analysis (VT)
- 6/9/2026, 2:31:01 AM
- First scan (MalwareTips)
- 6/9/2026, 11:56:34 AM
- Last scan (MalwareTips)
- 6/9/2026, 11:56:34 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.