File verdict·Decided by the MT AI Engine
Our call

Malicious

DRTCP.exe is a long-known TCP/IP tweaking utility flagged only by one engine as adware; tier-1 engines see no threat and it's likely safe from a trusted source.

Adware.DLBoost.Win32.22
Trust score96High trust
DRTCP.exe
52.5 KB
de08e3d24dc3cafea0b2e1c945b6
Antivirus engines
1 of 76 flagged
Code signing
Unsigned
Age
First seen 19y ago
MT AI Engine · Verdict analysis

The reasoning behind this verdict

The MT AI Engine weighs every signal from this scan — antivirus detections, sandbox behaviour, code signing, prevalence and historical matches — to reach a single, evidence-based verdict.

35%Confidence
Exploratory
Reasoning

The file DRTCP.exe matches the hash of DrTCP version 0.2, a portable tool for tweaking TCP/IP parameters like MTU and RWIN directly via the registry. Our antivirus network shows just one detection from Zillya as Adware.DLBoost (a bundler), with 71 clean including all tier-1 engines like BitDefender and Kaspersky. It's unsigned but has positive reputation (32), common prevalence over 500 submissions since 2007, and no external threat intel hits. Behavior includes registry queries and network calls to Microsoft IPs, consistent with a network optimizer. A prior scan on our site also noted it as a legit network tool despite the flag.

Points in its favour
  • First submitted in 2007 (7002 days old) with positive reputation score of 32 and 504 community submissions.
  • 17 tier-1 engines (BitDefender, Kaspersky, ESET, etc.) reported clean out of 76 total.
  • No hits in MalwareBazaar, YARAify, or CIRCL threat intel sources.
  • Identified as legitimate DrTCP TCP optimizer utility.
  • Prior MalwareTips analysis recognizes it as a legit network tool.
Points against
  • Zillya detects it as Adware.DLBoost.Win32.22, suggesting possible unwanted software bundling.
  • Unsigned executable, common for portable tools but raises impersonation risk.
  • Network tags include direct-cpu-clock-access, which can appear in both tools and threats.
  • Sandbox behavior shows outbound connections to 20.99.* IPs (Microsoft Azure) and spawning wuapihost.exe.
  • Mixed VT community comments mention possible worm traits alongside goodware tags.
Recommended action

Only run if you trust the download source, such as an official archive of Todd Laney's DrTCP; otherwise, delete it. Use a sandbox like Sandboxie for testing network tweaks.

What this file does

What it attempted when executed in an isolated sandbox

  • High concern: Talks to a remote server to take commands or send out your data.

  • High concern: Installs itself as a Windows service to stay running.

  • Moderate concern: Runs hidden system commands (script or shell).

  • Moderate concern: Scans through your files and folders.

  • Note: Collects details about your system.

  • Note: Loads extra code modules while running.

Translated from the file's technical behaviour during analysis. It never ran on your device.

Threat context

How bundlers & adware work

This is a bundler — a real-looking installer that hides extra software inside. When you run it, it quietly installs things you never asked for: ad injectors, browser toolbars, fake 'PC cleaner' apps, or even more bundlers. The people behind it get paid for every unwanted app they sneak on.

Bottom line:It's not usually built to destroy files, but it slows your PC, floods it with ads, and can be a real pain to fully remove.

What to do now

This file is dangerous. Treat it as harmful and remove it.

  1. Don't open or run this file. Delete it from your Downloads (or wherever you saved it), then empty the Recycle Bin.

  2. If you already opened it, disconnect from the internet and run a full scan with your antivirus — Windows Security, built into Windows, is sufficient.

  3. If you typed any passwords while it was open, change them from a device you trust.

  4. In future, only download software from the official website or an official app store.

Threat family attribution

Adware.DLBoost.Win32.22 corroborated by 1 source

  • MT AI Engine
    Adware.DLBoost.Win32.22
Sources disagree

1 contradiction resolved by the scoring engine

MT AI Engine read "suspicious", displayed verdict is "malicious"
A ground-truth gate (admin override, MalwareBazaar, empty-file) or the low-confidence display rule shifted the final call.
Displayed verdict tracks the harder evidence.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
9

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1059· Runs commandsT1071· Remote server (C2)T1082· System reconT1083· Scans your filesT1112T1129· Loads modulesT1543.003· Service installT1569.002
Spawned processes
4
$(unnamed)
"C:\Users\<USER>\Desktop\file.exe"
$(unnamed)
%SAMPLEPATH%\DRTCP.exe
$(unnamed)
C:\Windows\System32\wuapihost.exe
$(unnamed)
%SAMPLEPATH%\de08e3d24dc3cafea087936be9b2016951b0b9f5c96399b74c0cc3b2e1c945b6.exe
Network activity
10
IP addresses10
  • 20.99.184.37
  • 20.99.186.246
  • 192.229.211.108
  • 20.96.52.198
  • 23.216.147.76
  • 20.99.185.48
  • a83f:8110:0:0:a800:0:0:0
  • 20.99.133.109
  • 192.168.0.46
  • 23.216.81.152
Filesystem & mutexes
22
Files deleted15
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB67.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB79.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB89.tmp.txt
  • C:\Windows\System32\spp\store\2.0\cache\cache.dat
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1613.tmp.WERInternalMetadata.xml
+10 more
Mutexes created7
  • CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
+2 more
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

1 detection across 76 engines

1 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-241 engines
1flag
Mainstream engines with mixed FP rates
Low-trust18 engines
0flag
Heuristic / generic-AI engines (high FP rate)
Zillya
malicious
Adware.DLBoost.Win32.22
Hash de08e3d24dc3… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy6 sections
.text
6.33
.rdata
4.91
.data
3.18
.idata
5.26
.rsrc
4.27
.reloc
6.02
0.0Packed threshold 7.28.0
Prevalence

How widely this file has been seen

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
400
Hundreds of people have uploaded this — common.
Total submissions
504
Includes repeat uploads by the same source.
First seen
19y ago
Feb 20, 2007
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
2/20/2007, 4:32:21 PM
First seen (MalwareBazaar)
Last analysis (VT)
4/22/2026, 8:29:03 PM
Scanned here
4/23/2026, 4:19:29 PM
File name
DRTCP.exe
Size
52.5 KB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
de08e3d24dc3cafea087936be9b2016951b0b9f5c96399b74c0cc3b2e1c945b6
MD5
5db09a8e32164e4669f5eadc0cf50182
SHA-1
597d16a19baf7d15a045be41c907b956d1de706b
PE imphash
8c622f6d71aa3d07bd30e01a36f2f7fa
First seen (VT)
2/20/2007, 4:32:21 PM
Last analysis (VT)
4/22/2026, 8:29:03 PM
First scan (MalwareTips)
4/20/2026, 3:50:15 PM
Last scan (MalwareTips)
4/23/2026, 4:19:29 PM
Community reputation
+32trusted
Behavior tags
direct-cpu-clock-accesspeexeruntime-modules
Frequently asked

Safety FAQ

Common questions about DRTCP.exe, answered from the scan data above.

  • Yes — DRTCP.exe is malicious, so do not run it, and delete it. 1 of 76 antivirus engines flag it (family: Adware.DLBoost.Win32.22). It behaves as adware or a potentially unwanted program (PUA) — not always destructive, but it bundles ads, trackers, or unwanted changes you didn't ask for. If you've already run it, see the removal and recovery steps below.
  • DRTCP.exe is a Windows executable program, about 53 KB. Our analysis identifies it as malicious (family: Adware.DLBoost.Win32.22) — adware or a potentially unwanted program (PUA) — not always destructive, but it bundles ads, trackers, or unwanted changes you didn't ask for. Because a file's name and icon can be faked, the safest way to identify it is by its cryptographic hash (below), not its filename.
  • 1 of 76 antivirus engines flagged DRTCP.exe, 1 of them as outright malicious. A detection rate at this level is a reliable signal that the file is dangerous.
  • Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
  • To remove DRTCP.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original DRTCP.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
  • DRTCP.exe is classified as adware or a potentially unwanted program (PUA) — not always destructive, but it bundles ads, trackers, or unwanted changes you didn't ask for. Engines attribute it to the Adware.DLBoost.Win32.22 family. Knowing the family matters because it tells you the likely impact — data theft, remote control, file encryption, or unwanted ads — and guides the cleanup.
  • The SHA-256 hash of DRTCP.exe is de08e3d24dc3cafea087936be9b2016951b0b9f5c96399b74c0cc3b2e1c945b6, and its MD5 is 5db09a8e32164e4669f5eadc0cf50182. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
  • This report reflects the scan run on April 20, 2026. Because a file's hash never changes, the identity of DRTCP.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scanned by
harlan4096Staff
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.