File verdict·Decided by the MT AI Engine

Our call

Safe

Item: 7zS.sfx.exe
Rating: 4.5
Author: MalwareTips File Scanner

7-Zip self-extracting archive flagged by single low-trust ML engine; 16 tier-1 engines silent; legitimate extraction and certificate-validation behaviour.

Trust score82Moderate trust

MT AI confidence · 82%

7zS.sfx.exe

10.3 MB

5214af10a2c2db07df…3f8a283546

Antivirus engines

1 of 75 flagged

Code signing

Unsigned

Age

First seen 7y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence

High

Reasoning

The detection pattern is classic low-trust-only false positive: a single generic ML heuristic from Trapmine against consensus silence from tier-1 engines (Kaspersky, BitDefender, ESET, Fortinet, Avast, Avira, DrWeb, F-Secure, GData, Emsisoft, and others). The file's name and behaviour are consistent with 7-Zip's self-extracting archive format. Sandbox execution shows extraction of legitimate-looking binaries with no malicious verdicts on any of the 10 dropped children. The 'DirectIpC2' heuristic fired on contact with Symantec's CDN (162.159.36.2) for certificate-revocation-list fetches, a normal operation during archive extraction, not malware command-and-control. The 'PersistenceScheduledTask' heuristic flagged standard Windows CTF mutexes, not actual persistence mechanisms. Prevalence is medium (4 submitters, 9 submissions since 2019), and no external intelligence (CIRCL, YARAify, MalwareBazaar) corroborates malice.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

1/69 engines malicious (Trapmine, low-trust); tier1Malicious=0; 16 tier-1 engines silent (Kaspersky, BitDefender, ESET, Fortinet, Avast, Avira, DrWeb, F-Secure, GData, Emsisoft, Ikarus, Kypersky)
Trapmine label 'suspicious.low.ml.score' is generic ML heuristic with no named family — no tier-1 family consensus
Filename '7zS.sfx.exe' is 7-Zip self-extracting archive; sandbox dropped 10 children, 0 malicious verdicts; extracted binaries appear legitimate (H2OFFT-W.exe, BiosImageProc.dll, FWUpdLcl.exe)
Contacted URLs include legitimate Windows Update and certificate-revocation endpoints (download.windowsupdate.com, verisign.com, symcb.com); IPs include local network (192.168.122.1) and Symantec CDN (162.159.36.2)
Prevalence=medium (4 submitters, 9 submissions since 2019-03-04); no external-intel hits (CIRCL, YARAify, MalwareBazaar); no malicious dropped children

Points in its favour

16 tier-1 antivirus engines silent (Kaspersky, BitDefender, ESET, Fortinet, Avast, Avira, DrWeb, F-Secure, GData, Emsisoft, Ikarus, and others)
0/10 dropped children flagged as malicious
Contacted hosts are legitimate (Windows Update, Symantec CDN, VeriSign CRL servers)
No external-intelligence hits (CIRCL, YARAify, MalwareBazaar)
Medium prevalence (4 submitters, 9 submissions since 2019) consistent with legitimate utility

What to do

This file is safe. The single low-trust detection is a false positive from a generic ML heuristic. Proceed with confidence; no action required.

Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file

1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.

Verdict treated these as likely false positives.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.005T1059T1082T1083T1129T1222T1497.001T1564.003

Spawned processes

$(unnamed)

.\H2OFFT-W.exe -sfx7z C:\Users\<USER>\Downloads execApp

$(unnamed)

"C:\Users\user\Desktop\program.exe"

Network activity

IP addresses2

192.168.122.1
162.159.36.2

URLs5

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
http://s.symcb.com/pca3-g5.crl
http://sw.symcb.com/sw.crl
http://crl.verisign.com/pca3.crl
http://csc3-2010-crl.verisign.com/csc3-2010.crl

Persistence

Indicators1

iscFlash

Filesystem & mutexes

Files written15

C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\Ding.wav
C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\Microsoft.VC90.CRT.manifest
C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\Microsoft.VC90.MFC.manifest
C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\platform.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\FlsHook.exe

+10 more

Files deleted10

C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Cab3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Tar4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Cab5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Tar6.tmp

+5 more

Mutexes created9

CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500

+4 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

d4d8967f651e91a34258…89e4f8Never scanned
never seen before
9e0220511d4ebdb014cc…196582Never scanned
never seen before
f7205c5c0a629d0cc60e…23922bNever scanned
never seen before
9a043c66905e7f00a8c6…f3a595Never scanned
never seen before
c34b3dbb25816e280c10…92de90Never scanned
never seen before
2f98f753ffe3bc5718c0…c2f203Never scanned
never seen before
9483790ad151e0eaf341…ee2548Never scanned
never seen before
e9d696f8cd712bcefe6f…3d4448Never scanned
never seen before
e30aabb518361fbeaf80…31595aNever scanned
never seen before
4f7ed27b532888ce72b9…9b0b1aNever scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

2 synthesis

MITRE ATT&CK profile

Persistence× 1C2× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

PersistenceScheduledTask
T1053.005 T1543.003
medium
Sandbox flagged persistence indicators (registry Run keys / services / scheduled tasks).
Evidence
iscFlash
DirectIpC2
T1071
medium
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
162.159.36.2

Antivirus engine breakdown

1 detection across 75 engines

1 malicious0 suspicious74 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

1flag

Heuristic / generic-AI engines (high FP rate)

Trapmine

malicious

suspicious.low.ml.score

Hash 5214af10a2c2… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 6.42Unpacked

Section entropy4 sections

.text

6.56

.rdata

4.70

.data

4.28

.rsrc

5.08

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

Moderate upload volume.

Total submissions

Includes repeat uploads by the same source.

First seen by VT

7y ago

Mar 4, 2019

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

3/4/2019, 2:48:57 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/11/2026, 3:32:46 AM

Scanned here

6/11/2026, 6:40:38 AM

File name: 7zS.sfx.exe
Size: 10.31 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 5214af10a2c2db07df9ce913e25feb3a82126802bce82efb044bc33f8a283546
MD5: 63875274a2a0d1385451b5570097dee0
SHA-1: 62c27d5311318f69e00685766404351ed2ee1a5b
PE imphash: 8495975063ac354d66cfcb5c2c194d39
First seen (VT): 3/4/2019, 2:48:57 PM
Last analysis (VT): 6/11/2026, 3:32:46 AM
First scan (MalwareTips): 6/11/2026, 6:40:38 AM
Last scan (MalwareTips): 6/11/2026, 6:40:38 AM

Behavior tags

overlay32bits64bitscontains-pecontains-rompeexe

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.