Safe
Signed 2018 GOG installer with zero engine detections and long-standing prevalence despite two behavioural heuristics.
e69ce6a9c8814af64d…60ea8ad5bdThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections across the entire engine set, including every tier-1 vendor, is the dominant signal. The GOG certificate and common_old classification further support legitimacy. The two triggered heuristics (T1055 and direct-IP) are the only counter-evidence, yet they appear in many legitimate installers that drop temporary processes. Similar-hash history is mixed but leans safe on the most recent match. No dropped malicious children or malicious hosts were observed.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious detections, tier1Malicious=0, tier1ReportedClean=17
signing.verified=true, signer='GOG Sp. z o.o.'
prevalence.classification='common_old' (1217 submitters)
similarHashes[1].verdict='safe' (matchKind=imphash)
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (T1055) and MalwareTips.Synth.DirectIpC2
- 0/75 engines malicious
- Signed by GOG Sp. z o.o.
- common_old prevalence (1217 submitters)
- No malicious dropped children or contacted hosts
- Two behavioural heuristics flagged T1055 and direct-IP contact
Treat as safe; re-acquire from the official GOG distribution channel if any doubt remains.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.216.147.64
- 20.99.133.109
- 192.229.211.108
- 20.99.184.37
- 23.216.147.76
- a83f:8110:0:0:3000:0:0:0
- 20.99.185.48
- 184.25.191.235
- 20.99.186.246
- 192.168.0.77
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-NTF4K.tmp\996E.tmp
- C:\Documents and Settings\Administrator\Local Settings\Temp\Setup Log 2019-10-20 #001.txt
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q6MGV.tmp\996E.tmp
- C:\Documents and Settings\Administrator\Local Settings\Temp\Setup Log 2019-10-27 #001.txt
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-KLQ49.tmp\996E.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC4.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DD5.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DE6.tmp.txt
- C:\Windows\System32\spp\store\2.0\cache\cache.dat
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDB9.tmp.WERInternalMetadata.xml
- Local\SM0:5308:168:WilStaging_02
- Local\SM0:3704:168:WilStaging_02
- Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- Local\SM0:3704:64:WilError_03
Files this sample writes at runtime
This file drops 3 children at runtime. None are currently flagged malicious in our cache.
- d1d45a999c1dbbbd5c05…37c71dNever scannednever seen before
- 388a796580234efc95f3…136f95Never scannednever seen before
- b0549aa6fceea430b0b5…d95048Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\AppData\Local\Temp\file.exe"Sample contacted 15 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.216.147.64 · 20.99.133.109 · 192.229.211.108
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- setup_minecraft_story_mode_-_adventure_pass_2018-02-22_(18805).exe
- Size
- 746.1 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- e69ce6a9c8814af64d8bf4645eb127a1ca15f8e17a6355339ed52c60ea8ad5bd
- MD5
- 3e7d2ca62e2f2a6e87f8ffd084eabefe
- SHA-1
- da49ad8182deed178f1ae978c736654d104001c1
- PE imphash
- 20dd26497880c05caed9305b3c8b9109
- First seen (VT)
- 10/18/2019, 3:04:35 PM
- Last analysis (VT)
- 5/18/2026, 8:33:45 PM
- First scan (MalwareTips)
- 7/7/2026, 12:30:36 PM
- Last scan (MalwareTips)
- 7/7/2026, 12:30:36 PM
- Code signer
- GOG Sp. z o.o.verified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.