Malicious
14 tier-1 engines converge on Malgent trojan/downloader; direct-IP C2 contact and sandbox evasion techniques confirm malware.
a35c607f410213b4bd…e320fe5d81The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence converges strongly on malware. Fourteen tier-1 engines (Microsoft, Fortinet, TrendMicro, Sophos, Symantec, BitDefender, Avast, Ikarus, and others) agree on the Malgent family or closely related trojan/downloader variants. The triggered heuristic 'DirectIpC2' identifies a hallmark malware evasion technique: contacting 18 external IPs without any DNS queries, which bypasses domain-based reputation blocklists. Sandbox analysis recorded six ambient MITRE techniques including code obfuscation (T1027.002), input capture (T1056), and sandbox evasion (T1497.001)—a profile consistent with trojan/downloader malware. The file is unsigned, has no legitimate signer history, and has been submitted 384 times since September 2022, indicating it is a known malware sample rather than a novel or misclassified file.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=14/17 (82%); tier1FamilyConsensus.strong=true with 4 tier-1 engines agreeing on 'win32' family
Microsoft, Fortinet, TrendMicro, Sophos, Symantec, BitDefender, Avast, Ikarus all flag 'Malgent', 'Dlder', 'Evo-gen', or 'W32/Mal_DLDER' — consistent named-family consensus
triggeredHeuristics: 'MalwareTips.Synth.DirectIpC2' fired — 18 external IPs contacted, zero domains; direct-IP C2 is evasion technique bypassing DNS reputation systems
behaviour.mitreTechniques includes T1027.002 (code obfuscation), T1056 (input capture), T1497.001 (sandbox evasion), T1574.002 (DLL side-loading) — trojan/downloader profile
signing.verified=false, unsigned; prevalence.classification='common_old' (291 submitters, 384 submissions since 2022-09-03) — established malware with no legitimate signer backing
- No malicious sandbox verdict explicitly recorded (though sandbox evasion technique suggests evasion rather than benignity)
- 14/17 tier-1 engines flag as Malgent trojan/downloader
- Direct-IP C2 contact (18 IPs, zero DNS) — evasion technique
- Code obfuscation and sandbox evasion techniques detected
- Input capture capability (credential-theft risk)
- Unsigned executable with no legitimate signer history
- Spawns child processes (OneKey.exe, updater.exe) — typical downloader payload delivery
Block and remove this file immediately. It is a confirmed trojan/downloader with high-confidence detection across tier-1 antivirus engines and direct-IP C2 communication patterns. Do not attempt to execute or analyse it in an uncontrolled environment.
malgent corroborated by 2 sources
- VT (74 engines)malgent
- MT AI EngineMalgent
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- a83f:8110:0:0:100:0:1800:0
- 20.62.24.77
- 23.216.147.64
- a83f:8110:a802:1300:100:0:0:0
- 20.99.132.105
- 20.99.133.109
- 20.99.184.37
- 192.229.211.108
- 20.99.186.246
- 23.59.198.43
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER197E.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1980.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1991.tmp.txt
- C:\Windows\System32\spp\store\2.0\cache\cache.dat
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1279.tmp.WERInternalMetadata.xml
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 18 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidencea83f:8110:0:0:100:0:1800:0 · 20.62.24.77 · 23.216.147.64
44 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- AorUi.exe
- Size
- 2.09 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- a35c607f410213b4bd119c7faa88fd60717a97bd4c84da11ae515ee320fe5d81
- MD5
- b967a951488268dce91797d12ec4379a
- SHA-1
- ca38f04ab266dd756dee6a667e3bfc897d83d065
- PE imphash
- 58c41d9c49c748c060398d3909617cc0
- First seen (VT)
- 9/3/2022, 6:39:50 AM
- Last analysis (VT)
- 6/24/2026, 1:47:26 PM
- First scan (MalwareTips)
- 7/3/2026, 6:14:34 AM
- Last scan (MalwareTips)
- 7/3/2026, 6:14:34 AM
- Community reputation
- +15trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.