File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: JDownloader2Setup_windows-x86_v11_0_29.exe
Rating: 2.5
Author: MalwareTips File Scanner

Unsigned JDownloader installer shows mixed AV signals with process injection behavior but benign drops and no malicious runtime verdicts.

Trust score55Caution

MT AI confidence · 75%

JDownloader2Setup_windows-x86_v11_0_29.exe

83.1 MB

de8b2bdfc61d635853…5b502bd95e

Antivirus engines

9 of 75 flagged

Code signing

Unsigned

Age

First seen 29 days ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

75%Confidence

High

Reasoning

The file matches a known legitimate installer for JDownloader, which uses install4j and extracts Java runtime components. Tier-1 detections are generic (FileRepMalware) common for recent files, outweighed by 14 clean tier-1 scans. Process injection (T1055) into svchost and LSASS heuristic are red flags but lack corroboration from sandbox verdicts or drops. Unsigned status and new age contribute to caution without strong malicious consensus.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

tier1FamilyConsensus.family='filerepmalware' (2 engines: Avast/AVG)
triggeredHeuristics[0].rule='MalwareTips.Synth.ProcessInjection' fired=true severity=high evidence='svchost.exe -k LocalSystemNetworkRestricted -p'
behaviour.filesWritten includes 'i4jruntime.jar' 'flatlaf.jar' 'java.exe -version'
engines.tier1Malicious=3 vs tier1ReportedClean=14 (e.g., ESET-NOD32, Kaspersky, BitDefender undetected)
droppedChildren.hasMaliciousChild=false (10 unknown)

Points in its favour

14 tier-1 engines clean (ESET, Kaspersky, etc.)
Benign installer drops (install4j, JRE)
No malicious sandbox verdict
No malicious contacted hosts/children
Filename matches legit JDownloader installer

Points against

Unsigned executable
Recent first submission (2 days)
Process injection (T1055) into svchost
LSASS-targeting heuristic
3 tier-1 malicious detections
Generic 'FileRepMalware' labels

What to do

Treat as potentially risky due to heuristics and detections; obtain from trusted official source and scan thoroughly. Avoid if possible until more scans agree clean.

Threat family attribution

filerepmalware corroborated by 1 source

VT (75 engines)
filerepmalware

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1033T1055T1059T1071T1074T1082T1083T1105T1106T1129T1497T1539T1574

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\JDownloader2Setup_windows-x86_v11_0_29.exe"

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\tmp11FA.exe"

$(unnamed)

"c:\users\bruno\appdata\local\INSTAL~1\t\E4J498~1.TMP\jre\bin\java.exe" -version

$(unnamed)

C:\Windows\System32\svchost.exe -k NetworkService -p

$(unnamed)

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

$(unnamed)

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

+2 more processes captured.

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\tmp11FA.exe
C:\Users\<USER>\AppData\Local\install4j\t\i4j_nlog_1.log
C:\Users\<USER>\AppData\Local\install4j\t\e4j4987.tmp_dir1778084974\i4jruntime.jar
C:\Users\<USER>\AppData\Local\install4j\t\e4j4987.tmp_dir1778084974\i4jparams.conf
C:\Users\<USER>\AppData\Local\install4j\t\e4j4987.tmp_dir1778084974\i4j_extf_2_69g5ss_14qfchv.png

+10 more

Files deleted4

C:\Users\<USER>\AppData\Local\install4j\t\e4jtw29889004
C:\Users\<USER>\AppData\Local\install4j\t\e4j4987.tmp_dir1778084974\jre.tar.gz
C:\Program Files (x86)\JDownloader\i4j_writeperm_test
C:\Program Files (x86)\JDownloader

Mutexes created2

A9A48A31
Global\OneSettingQueryMutex+compat+encapsulation

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

da63081db591b7346d44…129e67Never scanned
never seen before
48a4a9a7ebca4f7b8840…9533ccNever scanned
never seen before
71c44233dd548b0e5042…06ad15Never scanned
never seen before
d816710152ba53e1a1a5…9ddfdeNever scanned
never seen before
231290d6ac51b2b5639f…ec68a9Never scanned
never seen before
34833b22dff8186f7920…4af4cbNever scanned
never seen before
073ed831ed3eadfd87f4…998093Never scanned
never seen before
652479f4613baa3782ac…7df640Never scanned
never seen before
88c0cddf6b8b3e28d548…fd495cNever scanned
never seen before
bedcce48ca63cc72b24b…323c5aNever scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis

MITRE ATT&CK profile

Defense evasion× 1Cred access× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
CredentialDumper
T1003 T1003.001
medium
Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
Evidence
C:\Windows\system32\lsass.exe

Antivirus engine breakdown

9 detections across 75 engines

9 malicious0 suspicious66 clean

Tier-117 engines

3flag

Top commercial AVs (low FP rate)

Tier-238 engines

1flag

Mainstream engines with mixed FP rates

Low-trust20 engines

5flag

Heuristic / generic-AI engines (high FP rate)

Avast

malicious

FileRepMalware [Misc]

AVG

malicious

FileRepMalware [Misc]

Bkav

malicious

W32.Malware.3A071CB4

DeepInstinct

malicious

MALICIOUS

Google

malicious

Detected

Ikarus

malicious

Trojan.Win64.Krypt

McAfeeD

malicious

ti!DE8B2BDFC61D

Rising

malicious

Trojan.Kryptik@AI.80 (RDML:235PalrdQqZJ5gQtK0qWtw)

Trapmine

malicious

suspicious.low.ml.score

Hash de8b2bdfc61d… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy7 sections

.text

6.49

.rdata

4.67

.data

2.30

.pdata

4.87

.fptable

0.00

.rsrc

8.00

.reloc

4.94

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

Moderate upload volume.

Total submissions

Includes repeat uploads by the same source.

First seen by VT

28d ago

May 6, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

5/6/2026, 4:28:13 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/8/2026, 7:36:02 AM

Scanned here

5/8/2026, 1:16:29 PM

File name: JDownloader2Setup_windows-x86_v11_0_29.exe
Size: 83.12 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: de8b2bdfc61d63585329b8cfca2a012476b46387435410b995aeae5b502bd95e
MD5: d3b398a757b424f91e645985ade00516
SHA-1: c5997e6a28a46041180780eb52842b668a65e4e2
PE imphash: cebbab50025aad300d9290d50864f4ef
First seen (VT): 5/6/2026, 4:28:13 AM
Last analysis (VT): 5/8/2026, 7:36:02 AM
First scan (MalwareTips): 5/8/2026, 7:33:43 AM
Last scan (MalwareTips): 5/8/2026, 1:16:29 PM
Community reputation: -1flagged

Behavior tags

peexe64bits

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scanned by

harlan4096Staff

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.