MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

FFmpeg codec library (avcodec-60.dll) with zero tier-1 detections, 2210 submissions, and legitimate export functions; heuristic T1055 trigger is sandbox testing artifact.

Trust score88High trust
MT AI confidence · 92%
avcodec-60.dll
3.6 MB
a9002e019e8eed38be438f671894
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 1y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The file exhibits a clean engine consensus: 0 malicious detections across 70 reporting engines, with 17 high-trust vendors explicitly reporting it undetected. The filename and exports (av_ac3_parse_header, av_adts_header_parse, av_bsf_alloc) match the legitimate FFmpeg codec library, which has been submitted 2,210 times over 467 days with consistent clean verdicts. The triggered heuristic (T1055 Process Injection) reflects sandbox methodology — testing DLL exports via rundll32 — rather than malicious code injection. No malicious sandbox verdicts, contacted hosts, or dropped children were observed. External community analysis (FileScan.IO) confirms 'NO_THREAT' with 100% confidence.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/70 malicious; tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET, Fortinet, Emsisoft, Ikarus, GData, F-Secure, DrWeb, Avira, AVG all undetected)

  2. File: avcodec-60.dll, FFmpeg codec library; prevalence common_old (1905 submitters, 2210 submissions, 467 days old)

  3. Behaviour: T1055 heuristic fired on rundll32.exe export testing (av_ac3_parse_header, av_adts_header_parse, av_bsf_alloc); no malicious sandbox verdict, no malicious hosts contacted, no dropped children

  4. External intel: FileScan.IO community verdict 'NO_THREAT' 100/100 confidence; no YARA/CIRCL hits

  5. Unsigned but consistent with legitimate open-source codec distribution; no brand mismatch, no adversarial filename flags

Points in its favour
  • Zero malicious detections across 70 engines; 17 tier-1 vendors all report clean
  • Legitimate FFmpeg codec library (avcodec-60.dll) with known exports
  • Common_old prevalence: 2,210 submissions, 1,905 unique sources, 467 days in circulation
  • No malicious sandbox verdicts, no malicious host contact, no dropped children
  • Community analysis (FileScan.IO) confirms 'NO_THREAT' with 100% confidence
What to do

This file is safe. It is a legitimate FFmpeg audio codec library with zero tier-1 detections and 2,210 clean submissions. The heuristic trigger is a false positive from sandbox testing. No action required.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
11

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1055T1071T1082T1129T1218.011T1497T1497.001T1518.001T1574.002
Spawned processes
14
$(unnamed)
"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\avcodec-60.dll",#1
$(unnamed)
C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\avcodec-60.dll"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\avcodec-60.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\avcodec-60.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\avcodec-60.dll,av_ac3_parse_header
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\avcodec-60.dll,av_adts_header_parse
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\avcodec-60.dll,av_bsf_alloc
+6 more processes captured.
Filesystem & mutexes
2
Files written1
  • \Device\ConDrv\\Connect
Mutexes created1
  • \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\avcodec-60.dll",#1
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-237 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash a9002e019e8e… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy8 sections
.text
6.53
.rdata
5.86
.buildid
0.65
.data
1.38
.pdata
6.15
.tls
0.00
.rsrc
2.97
.reloc
5.39
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
1,905
Hundreds of people have uploaded this — common.
Total submissions
2,210
Includes repeat uploads by the same source.
First seen by VT
1y ago
Feb 27, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
2/27/2025, 8:45:37 PM
First seen (MalwareBazaar)
Last analysis (VT)
5/4/2026, 10:33:32 PM
Scanned here
6/10/2026, 9:36:41 AM
File name
avcodec-60.dll
Size
3.64 MB
MIME type
(unknown)
Detected type
Win32 DLL
SHA-256
a9002e019e8eed38becdab73c01b6d2e85850657ff752c31bb8f68438f671894
MD5
0da8020a95d29fd7c7ef020f38845115
SHA-1
2ffce00bdbae0aafbc9affe163d24484f909fc72
PE imphash
7b6e311053ac5834fd8781b5f873c0f9
First seen (VT)
2/27/2025, 8:45:37 PM
Last analysis (VT)
5/4/2026, 10:33:32 PM
First scan (MalwareTips)
6/10/2026, 9:36:41 AM
Last scan (MalwareTips)
6/10/2026, 9:36:41 AM
Behavior tags
64bitsidledetect-debug-environmentpedll
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.