MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Legitimate Houdini license server binary from Side Effects Software with only a single low-trust detection.

Signed but unverified · Side Effects Software Inc.
Trust score88High trust
MT AI confidence · 85%
sesinetd.exe
12.1 MB
2cd2b98b9f8b0e1ab1c769850a0c
Antivirus engines
1 of 75 flagged
Code signing
Unverified: Side Effects Software Inc.
Age
First seen 3y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

85%Confidence
Very high
Reasoning

The engine distribution is textbook low-trust-only false-positive shape. Prevalence data and the Side Effects signer strongly indicate the file is the official sesinetd license server shipped with Houdini. Sandbox and child-file results are clean. The two triggered heuristics (DirectIpC2 and yaraify) are outweighed by the aggregate benign signals.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.onlyLowTrustFlagging=true with 1/71 malicious (Trapmine)

  2. prevalence.classification=common_old (1000 submitters)

  3. signing.signer=Side Effects Software Inc.

  4. triggeredHeuristics[0].rule=MalwareTips.Synth.DirectIpC2

  5. externalIntel.yaraify.ruleCount=14

Points in its favour
  • 17 tier-1 engines clean
  • common_old prevalence (1000 sources)
  • signed by Side Effects Software Inc.
  • no malicious children or sandbox verdicts
Points against
  • Direct IP connections without DNS (heuristic)
What to do

Treat as safe; the single low-trust flag is a false positive on this widely distributed Houdini component.

Threat family attribution

BLOWFISH Constants corroborated by 1 source

  • 14 YARA rules
    BLOWFISH_Constants, Check_OutputDebugStringA_iat, DebuggerCheck__API
Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Verdict treated these as likely false positives.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
12

Adversary techniques mapped to the MITRE ATT&CK framework.

T1036T1059T1063T1071T1082T1095T1116T1198T1202T1518.001T1560T1574.002
Spawned processes
13
$(unnamed)
"C:\Users\<USER>\Desktop\file.exe"
$(unnamed)
%SAMPLEPATH%\2cd2b98b9f8b0e1ab1d554e28671b080d214412388ce10092e3a2dc769850a0c.exe
$(unnamed)
C:\Windows\System32\wuapihost.exe
$(unnamed)
C:\Windows\System32\UI0Detect.exe
$(unnamed)
C:\Program Files\Google3796_310757732\bin\updater.exe
$(unnamed)
C:\Program Files\Google2940_1228202055\bin\updater.exe
$(unnamed)
C:\Program Files\Google3220_20146188\bin\updater.exe
$(unnamed)
C:\Program Files\Google2224_2087754866\bin\updater.exe
+5 more processes captured.
Network activity
20
IP addresses20
  • 204.79.197.203
  • 20.99.186.246
  • 192.229.211.108
  • 23.216.147.67
  • 20.99.133.109
  • 20.99.185.48
  • 23.216.147.76
  • 23.216.147.64
  • 20.99.184.37
  • 23.6.103.183
+10 more
Filesystem & mutexes
23
Files written6
  • C:\Users\<USER>\Documents\houdini20.0\houdini.env
  • C:\Users\user\AppData\Local\Temp\houdini_temp
  • C:\Users\user\Documents\houdini20.0
  • C:\Users\user\Documents\houdini20.0\houdini.env
  • \Device\ConDrv
+1 more
Files deleted15
  • C:\Windows\System32\spp\store\2.0\cache\cache.dat
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD5.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FE6.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FE7.tmp.txt
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER13C1.tmp.WERInternalMetadata.xml
+10 more
Mutexes created2
  • DBWinMutex
  • \Sessions\1\BaseNamedObjects\DBWinMutex
Dropped payload

Files this sample writes at runtime

This file drops 4 children at runtime. None are currently flagged malicious in our cache.

4 unseen
  • 3fdf522ee115295ca9d4844f9dNever scanned
    never seen before
  • c6456e12e5e53287a5473d144dNever scanned
    never seen before
  • 570ae52615fb6f41a690a925aaNever scanned
    never seen before
  • b420f67419ac45b5091841c230Never scanned
    never seen before
External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·14 community rules matchedView on YARAify
  • BLOWFISH_Constantsby phoul (@phoul)
    Look for Blowfish constants
  • Check_OutputDebugStringA_iat
  • DebuggerCheck__API
  • DebuggerException__SetConsoleCtrl
  • MD5_Constantsby phoul (@phoul)
    Look for MD5 constants
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

5 YARAify1 synthesis
MITRE ATT&CK profile
C2× 1
YARAify (community)
Researcher-authored rules via abuse.ch
  • BLOWFISH_Constants
  • Check_OutputDebugStringA_iat
  • DebuggerCheck__API
  • DebuggerException__SetConsoleCtrl
  • MD5_Constants
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 17 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    204.79.197.203 · 20.99.186.246 · 192.229.211.108
Antivirus engine breakdown

1 detection across 75 engines

1 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Trapmine
malicious
malicious.moderate.ml.score
Hash 2cd2b98b9f8b… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 7.61Unpacked
Section entropy6 sections
.text
6.55
.rdata
7.02
.data
5.57
.pdata
6.52
_RDATA
3.32
.rsrc
2.57
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
1,000
Hundreds of people have uploaded this — common.
Total submissions
1,298
Includes repeat uploads by the same source.
First seen by VT
3y ago
Dec 7, 2023
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
12/7/2023, 6:49:34 AM
First seen (MalwareBazaar)
Last analysis (VT)
5/13/2026, 12:29:35 AM
Scanned here
6/4/2026, 9:18:00 AM
File name
sesinetd.exe
Size
12.10 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
2cd2b98b9f8b0e1ab1d554e28671b080d214412388ce10092e3a2dc769850a0c
MD5
3a73e0a6186a323af03bcbdc75e3c30d
SHA-1
0de541955d9cdee859f9f207154dfb288a400c88
PE imphash
8602fc263836e71ccfea4afb98d6c01a
First seen (VT)
12/7/2023, 6:49:34 AM
Last analysis (VT)
5/13/2026, 12:29:35 AM
First scan (MalwareTips)
6/4/2026, 9:18:00 AM
Last scan (MalwareTips)
6/4/2026, 9:18:00 AM
Code signer
Side Effects Software Inc.invalid
Behavior tags
invalid-signaturechecks-network-adapterspeexe64bitsdetect-debug-environmentoverlaysigned
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.