Safe
Single low-trust heuristic detection on aged, widely-distributed file; 13 tier-1 engines silent; contacted IPs are Microsoft infrastructure.
aec7b713a9d3ed7302…1dc85aae51The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The detection profile is characteristic of a low-trust-only false positive. Trapmine's generic 'suspicious.low.ml.score' label carries minimal weight against the consensus silence of tier-1 engines (Kaspersky, BitDefender, ESET, Fortinet, Avira, F-Secure, GData, Emsisoft). The file's age (612 days) and prevalence (1587 submissions from 1330 sources) indicate it is widely distributed commodity software; if genuinely malicious, tier-1 engines would have flagged it long ago. The DirectIpC2 heuristic, while flagged as medium severity, is undermined by the presence of Microsoft IP ranges (20.99.*, 131.253.*) and private IPs (192.168.*), which are consistent with Windows Update and system telemetry rather than adversarial command-and-control. No malicious sandbox verdict, no dropped children, and no malicious host contacts further support a benign classification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
1/65 engines malicious (Trapmine, low-trust); tier1Malicious=0; onlyLowTrustFlagging=true
Trapmine label 'suspicious.low.ml.score' is generic ML heuristic; 13 tier-1 engines (Kaspersky, BitDefender, ESET, Fortinet, Avira, F-Secure, GData, Emsisoft) all undetected
triggeredHeuristics: DirectIpC2 fired but contacted IPs include Microsoft ranges (20.99.186.246, 131.253.33.203) and private IPs (192.168.*), consistent with Windows telemetry
prevalence: common_old (1330 submitters, 1587 submissions, 612 days old); RAG shows similar imphash verdicted 'unknown' with ai:low_trust_engines_only
Community analysis (FileScan.IO, threat.rip) both report clean/no-threat; no malicious sandbox verdict, no dropped children, no malicious host contacts
- 13 tier-1 antivirus engines silent (Kaspersky, BitDefender, ESET, Fortinet, Avira, F-Secure, GData, Emsisoft)
- Contacted IPs are Microsoft infrastructure and private ranges, not adversarial C2
- Widely distributed (1587 submissions, 1330 unique sources, 612 days old)
- Community analysis reports clean (FileScan.IO 100% confidence NO_THREAT, threat.rip Clean 0/100)
- No malicious sandbox verdict, no dropped children, no malicious host contacts
- DirectIpC2 heuristic fired (contacted 14 external IPs without DNS)
- File is unsigned
- Generic ML heuristic detection from low-trust engine
This file is safe to use. The single low-trust detection is a false positive; tier-1 engines and independent security researchers confirm it is benign. No remediation is necessary.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 192.168.0.67
- 20.99.186.246
- 23.192.210.9
- 20.99.133.109
- 23.216.81.152
- 131.253.33.203
- 20.69.140.28
- 192.168.0.48
- 23.197.238.105
- 23.219.78.68
- %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE\KLT1I0ZU\update50[1].xml
- C:\Windows\System32\wbem\Performance\WmiApRpl.h
- C:\Windows\System32\wbem\Performance\WmiApRpl.ini
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 14 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence20.99.186.246 · 23.192.210.9 · 20.99.133.109
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- Windose.exe
- Size
- 651.0 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- aec7b713a9d3ed73029d7aeadb351ab13c57ee3d8a8a40429a64661dc85aae51
- MD5
- 5048f4ce0773f13df956b7f8494724f3
- SHA-1
- 89e0aa8d2aa11e3af04e6ce0482243ed6deae6de
- PE imphash
- ce1183cc150987a99aef5749f22af81e
- First seen (VT)
- 10/30/2024, 4:24:59 PM
- Last analysis (VT)
- 7/3/2026, 12:06:21 AM
- First scan (MalwareTips)
- 7/4/2026, 5:03:27 AM
- Last scan (MalwareTips)
- 7/4/2026, 5:03:27 AM
- Community reputation
- +1trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.