File verdict·Decided by the MT AI Engine
Our call

Safe

Zero detections across 76 engines, clean sandbox behaviour, and a CIRCL reference to a legitimate Windows system component.

Trust score92High trust
MSPAINT.EXE
2.4 MB
717e1378945bd09c89d0326db6af
Antivirus engines
0 of 76 flagged
Code signing
Unsigned
Age
First seen 6y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

90%Confidence
Very high
Reasoning

The file presents a textbook clean profile: complete absence of malicious detections, no offensive MITRE techniques, and no malicious sandbox or network signals. The external CIRCL reference explicitly maps the sample to a legitimate Microsoft Windows component path. Medium prevalence over five years further supports that this is a known benign DLL rather than a new or rare threat. Lack of signing is the only minor caveat, but it is outweighed by the unanimous engine consensus and clean behavioural record.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0 malicious out of 76 (tier1ReportedClean=17)

  2. externalIntel.circl.hit=true with knownMalicious=null referencing Windows/WinSxS mspaint.exe.mun

  3. behaviour.offensiveCount=0 and hasMaliciousSandboxVerdict=false

  4. prevalence.classification=medium (46 sources, 2235 days)

  5. similarHashes: no RAG hits

Points in its favour
  • Zero malicious engine detections
  • Clean sandbox verdict
  • CIRCL reference to legitimate Windows component
  • Medium prevalence over 2235 days
What to do

Treat as a benign system component. No further action required unless the file appears outside expected Windows directories.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
4

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1218.011T1497.001
Spawned processes
6
$(unnamed)
"C:\Windows\System32\rundll32.exe" "C:\Users\<USER>\Desktop\readme.dll",#1
$(unnamed)
C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\attachment.dll"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\System32\SecurityHealthService.exe C:\Windows\system32\SecurityHealthService.exe
Filesystem & mutexes
7
Files written2
  • C:\ProgramData\Microsoft\Windows Security Health\Logs
  • \Device\ConDrv\\Connect
Mutexes created5
  • \BaseNamedObjects\Local\SM0:2312:304:WilStaging_02
  • \BaseNamedObjects\Local\SM0:2312:120:WilError_03
  • \BaseNamedObjects\Local\ZonesCacheCounterMutex
  • \BaseNamedObjects\Local\ZonesLockedCacheCounterMutex
  • \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
External threat intelligence

1 corroborating signal from researcher-curated sources

CIRCL hashlookup HIT·known-good reference DB·trust 50/100View on CIRCL
CIRCL-Microsoft-VM· Windows/WinSxS/amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf/mspaint.exe.mun
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Antivirus engine breakdown

0 detections across 76 engines

0 malicious0 suspicious76 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-241 engines
0flag
Mainstream engines with mixed FP rates
Low-trust18 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 76 engines report this file as clean.
Hash 717e1378945b… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy2 sections
.rdata
1.80
.rsrc
7.16
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
46
Moderate upload volume.
Total submissions
51
Includes repeat uploads by the same source.
First seen by VT
6y ago
May 25, 2020
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/25/2020, 10:43:18 PM
First seen (MalwareBazaar)
Last analysis (VT)
10/6/2025, 6:39:50 PM
Scanned here
7/9/2026, 6:25:22 AM
File name
MSPAINT.EXE
Size
2.39 MB
MIME type
(unknown)
Detected type
Win32 DLL
SHA-256
717e1378945bd09c89b1b1503c01ced9b09670192bd4b8f2c04e28d0326db6af
MD5
960bcff3f9b22d725c62c340d5ea5cdf
SHA-1
d104301df525a5e87b28a4d16eebfc9dcf63a979
First seen (VT)
5/25/2020, 10:43:18 PM
Last analysis (VT)
10/6/2025, 6:39:50 PM
First scan (MalwareTips)
7/9/2026, 6:25:22 AM
Last scan (MalwareTips)
7/9/2026, 6:25:22 AM
Behavior tags
pedllknown-distributoridlelegit
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.