Indicator checklist
| Hash | Best for exact sample matching. If MD5 matches a report, the file content is the same sample. |
|---|---|
| Path | Temporary folders, startup folders, browser profile folders, and random directory names are stronger warning signs. |
| Publisher | Unsigned files or strange certificate chains deserve more review, especially when paired with startup behavior. |
| Product metadata | Product name and version can be forged. Treat them as supporting evidence, not proof. |
| Sections | Unusual executable sections, packing, or obfuscation can explain generic malware detections. |
| Behavior | Persistence, browser changes, credential prompts, redirects, and repeated re-creation after reboot raise severity. |
Safer decision rule
Act when at least two independent signals agree: for example, a matching hash plus a suspicious path, or a detection family plus unwanted startup behavior. If only one weak signal exists, gather more evidence before deleting files.