Safe
Zero detections across 76 engines, clean sandbox behaviour, and a CIRCL reference to a legitimate Windows system component.
717e1378945bd09c89…d0326db6afThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file presents a textbook clean profile: complete absence of malicious detections, no offensive MITRE techniques, and no malicious sandbox or network signals. The external CIRCL reference explicitly maps the sample to a legitimate Microsoft Windows component path. Medium prevalence over five years further supports that this is a known benign DLL rather than a new or rare threat. Lack of signing is the only minor caveat, but it is outweighed by the unanimous engine consensus and clean behavioural record.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious out of 76 (tier1ReportedClean=17)
externalIntel.circl.hit=true with knownMalicious=null referencing Windows/WinSxS mspaint.exe.mun
behaviour.offensiveCount=0 and hasMaliciousSandboxVerdict=false
prevalence.classification=medium (46 sources, 2235 days)
similarHashes: no RAG hits
- Zero malicious engine detections
- Clean sandbox verdict
- CIRCL reference to legitimate Windows component
- Medium prevalence over 2235 days
Treat as a benign system component. No further action required unless the file appears outside expected Windows directories.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\ProgramData\Microsoft\Windows Security Health\Logs
- \Device\ConDrv\\Connect
- \BaseNamedObjects\Local\SM0:2312:304:WilStaging_02
- \BaseNamedObjects\Local\SM0:2312:120:WilError_03
- \BaseNamedObjects\Local\ZonesCacheCounterMutex
- \BaseNamedObjects\Local\ZonesLockedCacheCounterMutex
- \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
1 corroborating signal from researcher-curated sources
0 detections across 76 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- MSPAINT.EXE
- Size
- 2.39 MB
- MIME type
- (unknown)
- Detected type
- Win32 DLL
- SHA-256
- 717e1378945bd09c89b1b1503c01ced9b09670192bd4b8f2c04e28d0326db6af
- MD5
- 960bcff3f9b22d725c62c340d5ea5cdf
- SHA-1
- d104301df525a5e87b28a4d16eebfc9dcf63a979
- First seen (VT)
- 5/25/2020, 10:43:18 PM
- Last analysis (VT)
- 10/6/2025, 6:39:50 PM
- First scan (MalwareTips)
- 7/9/2026, 6:25:22 AM
- Last scan (MalwareTips)
- 7/9/2026, 6:25:22 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.