File verdict·Decided by the MT AI Engine

Our call

Malicious

Item: SimpleM_[unknowncheats.me]_.exe
Rating: 1
Author: MalwareTips File Scanner

9 tier-1 engines agree on Trojan.Tedy/Kepavll; process injection and hollowing techniques confirm malware intent.

Trojan.Tedy / Kepavll (xmrig variant)

Trust score8Critical

MT AI confidence · 94%

SimpleM_[unknowncheats.me]_.exe

1.5 MB

70cc1bf36efc6204ab…f298f1b384

Antivirus engines

38 of 75 flagged

Code signing

Unsigned

Age

First seen 3mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

94%Confidence

Very high

Reasoning

This file exhibits strong malicious indicators across multiple dimensions. Nine tier-1 antivirus engines converge on the Trojan.Tedy/Kepavll family, establishing high-confidence consensus. The 62% detection rate (38/61 engines) spans tier-1, tier-2, and low-trust vendors, ruling out isolated heuristic false positives. Behavioural analysis reveals offensive MITRE techniques: process injection (T1055.003) and process hollowing (T1134) are evasion tactics used exclusively by malware to bypass security hooks. The triggered heuristic 'MalwareTips.Synth.ProcessInjection' confirms the injection pattern at high severity. The file is unsigned with no signer history, removing a trust signal. Community researchers independently classify the sample as malware across Hatching Triage, FileScan, and MWDB, with threat scores of 10/10. The medium prevalence (126 submitters, 131 submissions) indicates established distribution rather than a rare false positive.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.tier1Malicious=9 (Avira, BitDefender, Emsisoft, Fortinet, GData, Ikarus, Microsoft, Sophos, Symantec) with tier1FamilyConsensus.strong=true on 'variant' family
engines.malicious=38/61 (62% detection rate); onlyLowTrustFlagging=false — consensus spans tier-1 and tier-2 engines
behaviour.offensiveTechniques=[T1055.003 Process Injection, T1134 Process Hollowing, T1620]; triggeredHeuristics 'MalwareTips.Synth.ProcessInjection' fired (high severity)
signing.verified=false, unsigned executable with no signer history; prevalence.classification='medium' (126 submitters, 131 submissions)
communityComments consensus: '#xmrig', '#malware', '#stealer', '#trojan'; independent analyses (Hatching Triage, FileScan, jaffacakes118, MWDB) corroborate malicious classification; Threat Score 10/10

Points in its favour

No malicious sandbox verdict recorded (though process injection is designed to evade sandbox detection)
No malicious contacted hosts in our URL cache (though behaviour shows process injection into legitimate processes)
No dropped malicious children recorded (process injection is the attack vector itself)

Points against

9 tier-1 antivirus engines agree on Trojan.Tedy/Kepavll family classification
Process injection (T1055.003) and process hollowing (T1134) techniques confirm evasion intent
62% detection rate (38/61 engines) across tier-1, tier-2, and low-trust vendors
Unsigned executable with no publisher history or signer reputation
Medium prevalence (126 submitters, 131 submissions) indicates established malware distribution
Community researchers independently corroborate malicious classification across multiple platforms

What to do

Remove this file immediately and do not execute it. Scan your system with updated antivirus software to detect and remove any instances. Review system logs for signs of process injection or unusual process activity, and check the source of the download for other potentially compromised files.

Threat family attribution

tedy corroborated by 2 sources

VT (75 engines)
tedy
MT AI Engine
Trojan.Tedy / Kepavll (xmrig variant)

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1010T1027T1027.002T1027.005T1055.003T1056.001T1057T1059T1071T1082T1083T1115T1129T1134T1518T1614T1614.001T1620

Spawned processes

$(unnamed)

"C:\Users\user\Desktop\SimpleM_[unknowncheats.me]_.exe"

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

C:\Windows\System32\SecurityHealthService.exe C:\Windows\system32\SecurityHealthService.exe

Filesystem & mutexes

Files written2

C:\ProgramData\Microsoft\Windows Security Health\Logs
\Device\ConDrv\\Connect

Mutexes created4

\BaseNamedObjects\Local\SM0:6380:304:WilStaging_02
\BaseNamedObjects\Local\SM0:6380:120:WilError_03
\BaseNamedObjects\Local\ZonesCacheCounterMutex
\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis

MITRE ATT&CK profile

Defense evasion× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055.003
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
"C:\Users\user\Desktop\SimpleM_[unknowncheats.me]_.exe"

Antivirus engine breakdown

38 detections across 75 engines

38 malicious0 suspicious37 clean

Tier-117 engines

9flag

Top commercial AVs (low FP rate)

Tier-238 engines

16flag

Mainstream engines with mixed FP rates

Low-trust20 engines

13flag

Heuristic / generic-AI engines (high FP rate)

AhnLab-V3

malicious

Trojan/Win.Kryptik.C5866852

alibabacloud

malicious

Trojan:Win/Wacapew.A9nj

ALYac

malicious

Gen:Variant.Tedy.933434

APEX

malicious

Malicious

Arcabit

malicious

Trojan.Tedy.DE3E3A

Avira

malicious

TR/W64.Agent

BitDefender

malicious

Gen:Variant.Tedy.933434

Bkav

malicious

W32.Malware.1D8CCC61

CAT-QuickHeal

malicious

Trojan.Kepavll

CrowdStrike

malicious

win/malicious_confidence_90% (W)

CTX

malicious

exe.trojan.kepavll

Cylance

malicious

Unsafe

Cynet

malicious

Malicious (score: 100)

DeepInstinct

malicious

MALICIOUS

Elastic

malicious

malicious (high confidence)

Emsisoft

malicious

Gen:Variant.Tedy.933434 (B)

Fortinet

malicious

W64/GenKryptik.HPSZ!tr

GData

malicious

Gen:Variant.Tedy.933434

Google

malicious

Detected

Ikarus

malicious

Trojan.Win64.Krypt

K7AntiVirus

malicious

Trojan ( 006dbae61 )

K7GW

malicious

Trojan ( 006dbae61 )

Kingsoft

malicious

Win32.Troj.kepavll.v

Lionic

malicious

Trojan.Win32.Kepavll.4!c

Malwarebytes

malicious

Trojan.Stealer

McAfeeD

malicious

ti!70CC1BF36EFC

Microsoft

malicious

Trojan:Win32/Kepavll!rfn

MicroWorld-eScan

malicious

Gen:Variant.Tedy.933434

Paloalto

malicious

generic.ml

Rising

malicious

Trojan.Kryptik!8.8 (TFE:5:PVDxpSEQO7G)

Sangfor

malicious

Trojan.Win64.Kryptik.Vfpf

Sophos

malicious

Mal/Generic-S

Symantec

malicious

ML.Attribute.HighConfidence

Tencent

malicious

Malware.Win32.Gencirc.14acd4f0

Trapmine

malicious

malicious.moderate.ml.score

VIPRE

malicious

Gen:Variant.Tedy.933434

ViRobot

malicious

Trojan.Win.C.Tedy.1554944

Webroot

malicious

W32.Trojan.Kepavll

Hash 70cc1bf36efc… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy7 sections

.text

6.57

.rdata

5.88

.data

6.42

.pdata

5.93

.fptable

0.00

.rsrc

4.76

.reloc

5.43

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

126

Hundreds of people have uploaded this — common.

Total submissions

131

Includes repeat uploads by the same source.

First seen by VT

3mo ago

Mar 28, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

3/28/2026, 10:17:43 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/25/2026, 12:55:35 AM

Scanned here

6/10/2026, 5:18:20 PM

File name: SimpleM_[unknowncheats.me]_.exe
Size: 1.48 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 70cc1bf36efc6204abd73fd68b22c386032e568ce8ea18ee63f11df298f1b384
MD5: ffc7b0cf3c712119e3a7aacad0511e71
SHA-1: 3a3f1ea1f7072348ecdeb860a159548e5f3b0292
PE imphash: 8b8cf38370ca50900ee61326f007923c
First seen (VT): 3/28/2026, 10:17:43 PM
Last analysis (VT): 5/25/2026, 12:55:35 AM
First scan (MalwareTips): 6/10/2026, 5:18:20 PM
Last scan (MalwareTips): 6/10/2026, 5:18:20 PM

Behavior tags

peexespreader64bits

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.