Safe
Unsigned but widely submitted Windows executable matching a known Microsoft mspaint path with zero engine detections.
94aa32a2c9c1d2db78…b55fdd5709The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The complete absence of malicious detections across tier-1 and tier-2 engines combined with a CIRCL hit pointing to a Microsoft WinSxS mspaint.exe location strongly indicates a legitimate system file. While the binary is unsigned and exhibits direct-IP contacts plus credential-dumping MITRE mappings, these signals are outweighed by the 16 tier-1 clean reports and common_old prevalence. No dropped malicious children or malicious sandbox consensus exist. The file therefore aligns with a clean classification despite minor behavioural anomalies.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious detections out of 75 total (16 tier-1 clean)
externalIntel.circl.hit=true with path Windows/WinSxS/amd64_microsoft-windows-mspaint_.../mspaint.exe
prevalence.classification=common_old (351 sources, 513 submissions)
behaviour.hasMaliciousSandboxVerdict=false and droppedChildren.hasMaliciousChild=false
- Zero malicious engine detections
- CIRCL match to known Microsoft mspaint.exe path
- Common_old prevalence with hundreds of submissions
- No malicious dropped children or sandbox verdicts
- Unsigned binary
- Direct-IP network contacts without DNS
- MITRE T1003 and T1547.001 observed in sandbox
Allow the file if located in standard Windows directories; otherwise replace it from official Microsoft sources.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 74.125.69.94
- 204.79.197.203
- 209.197.3.8
- 192.168.0.84
- a83f:8110:0:0:1b00:100:2800:0
- a83f:8110:8102:0:f801:67a3:8102:0
- 23.216.147.76
- 20.62.24.77
- a83f:8110:0:0:1400:1400:2800:3800
- 23.216.147.64
- C:\Windows\debug\WIA\wiatrace.log
- C:\Windows\Debug\WIA
- C:\Windows\Debug\WIA\wiatrace.log
- C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
- C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC05.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERED0F.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERED6E.tmp.txt
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2546.tmp.WERInternalMetadata.xml
- Global\WIATRACE_MUTEX
- \Sessions\1\BaseNamedObjects\Global\WIATRACE_MUTEX
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 91057b27acd3a65af4e7…71dcefNever scannednever seen before
- 4cb7bac71da39bc46e40…c8aba2Never scannednever seen before
- 1864150a191097714a3d…27a78aNever scannednever seen before
- 2f4330caacfdb8cabde1…f0a5c8Never scannednever seen before
- edc8dc0f4532b08f74a4…f8e90cNever scannednever seen before
- 2575699810fbe4efbc8c…c47ddbNever scannednever seen before
- 51010046f60b2cff329c…cc6cbdNever scannednever seen before
- 4c6e4af9922a05c7ddb6…bdb634Never scannednever seen before
- 0805e87465808e076afb…12fa4aNever scannednever seen before
- 552d7566e3f6f765e269…790b22Never scannednever seen before
1 corroborating signal from researcher-curated sources
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
MITRE T1003 (OS Credential Dumping) mapped by at least one sandbox run.
Sample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence74.125.69.94 · 204.79.197.203 · 209.197.3.8
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- MSPAINT.EXE
- Size
- 965.0 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
- MD5
- f221a4ccafec690101c59f726c95b646
- SHA-1
- 2098e4b62eaab213cbee73ba40fe4f1b8901a782
- PE imphash
- d90e4d192f94e7240c400da8fc2154d7
- First seen (VT)
- 1/13/2021, 12:04:26 AM
- Last analysis (VT)
- 6/29/2026, 12:42:24 AM
- First scan (MalwareTips)
- 7/9/2026, 5:24:25 AM
- Last scan (MalwareTips)
- 7/9/2026, 5:24:25 AM
- Community reputation
- +3trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.