Safe
Zero engine detections, verified Realtek signature, medium prevalence, and clean sandbox behaviour outweigh the single direct-IP heuristic.
bb5338a282f5b2f44a…33d400b0c7The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections from 74 engines including 17 tier-1 engines eliminates the possibility of a named family or tier-1 consensus. The verified Realtek signature and medium prevalence (74 sources) indicate a distributed legitimate component. The single triggered heuristic on direct-IP contact is a weak signal without sandbox or engine backing. No dropped children, no malicious hosts, and no YARA/CIRCL hits further support a benign classification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious across 70 reporting engines, tier1Malicious=0
signing.verified=true, signer='Realtek Semiconductor Corp.'
prevalence.classification='medium' (74 unique sources, 82 submissions)
triggeredHeuristics[0].rule='MalwareTips.Synth.DirectIpC2' with evidence 162.159.36.2
behaviour.hasMaliciousSandboxVerdict=false, externalIntel.yaraify.ruleCount=0
- 0/74 engines flagged malicious
- Verified signature by Realtek Semiconductor Corp.
- Medium prevalence across 74 sources
- No sandbox malicious verdict
- No external intelligence hits
- Direct-IP contact without DNS resolution (162.159.36.2)
Proceed with normal use; the evidence shows a clean, signed Realtek component with only an isolated heuristic flag.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- \Device\ConDrv\\Connect
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- RTUWPSrvcMain.exe
- Size
- 1002.9 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- bb5338a282f5b2f44a5b4262f780af2c358261fc921d6c711a5dcb33d400b0c7
- MD5
- 33272b78d92f5bd070a77bbeedd3642e
- SHA-1
- 654d2ca67c78778b6bc154a665c63d637c2393e8
- PE imphash
- 042ceac2339f8adae30df46a05216185
- First seen (VT)
- 1/24/2026, 3:40:43 PM
- Last analysis (VT)
- 7/3/2026, 11:53:23 AM
- First scan (MalwareTips)
- 7/8/2026, 5:01:14 AM
- Last scan (MalwareTips)
- 7/8/2026, 5:01:14 AM
- Code signer
- Realtek Semiconductor Corp.verified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.