Safe
17 tier-1 engines report clean; zero malicious detections across 71 engines; old installer-like utility with benign file-drop pattern.
f2466c19e3d0d5cacd…065e9839afThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence strongly supports a benign classification. Seventeen tier-1 antivirus engines—including industry leaders BitDefender, Kaspersky, ESET-NOD32, Fortinet, and Avast—all report the file as undetected. Zero of 71 reporting engines flagged it as malicious or suspicious. The file's age (first submitted in 2008) and medium prevalence (65 unique submitters) indicate it is a known-benign or legacy utility. Behavioural analysis shows zero offensive MITRE techniques and installer-consistent file drops (CKRename.exe, uninstal.exe). A single heuristic rule (MalwareTips.Synth.DirectIpC2) fired on direct-IP contact, but this is isolated evidence without malware family naming, tier-1 consensus, or malicious sandbox verdict. The filename pattern and file-drop behaviour are consistent with a legitimate rename utility installer, not malware.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, GData, Ikarus, F-Secure, Emsisoft, DrWeb, Avira, AVG, and others all undetected)
engines.malicious=0/71; no malware family consensus; no tier-1 agreement on any threat
behaviour: 0 offensive MITRE techniques; 9 ambient techniques consistent with installer; no malicious sandbox verdict; droppedChildren.hasMaliciousChild=false
triggeredHeuristics: MalwareTips.Synth.DirectIpC2 fired (medium severity) on single IPv6 contact, but isolated against clean consensus — insufficient to override
prevalence.classification=medium (65 submitters, 76 submissions since 2008); file age 6506 days; filename pattern consistent with CKRename utility installer
- 17 tier-1 antivirus engines (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, GData, Ikarus, F-Secure, Emsisoft, DrWeb, Avira, AVG, and others) all report undetected
- Zero malicious detections across 71 reporting engines
- File age 6,506 days (first submitted 2008) with medium prevalence (65 unique submitters, 76 submissions)
- Zero offensive MITRE techniques; 9 ambient techniques consistent with installer software
- File-drop pattern (CKRename.exe, uninstal.exe, uninstal.log) consistent with legitimate rename utility installer
- MalwareTips.Synth.DirectIpC2 heuristic fired on direct-IP contact (IPv6 a83f:8110:6700:7500:6c00:6100:7400:6f00) with zero domain contact
- Joe Sandbox community analysis reported borderline-suspicious verdict (score 22/100)
- Unsigned executable with no publisher verification
This file is classified as benign based on consensus from 17 tier-1 antivirus engines and 18 years of prevalence data. No action is required. If you have specific concerns about the DirectIpC2 heuristic or wish to verify the file's legitimacy, consult the official CKRename utility publisher or your security team.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- a83f:8110:6700:7500:6c00:6100:7400:6f00
- C:\Users\<USER>\AppData\Local\Temp\instcrin.dll
- C:\Program Files (x86)\CKRename\uninstal.log
- C:\Program Files (x86)\CKRename\Uninstal.exe
- C:\Documents and Settings\Administrator\Local Settings\Temp\instcrin.dll
- C:\Program Files\CKRename\uninstal.log
- C:\Users\<USER>\AppData\Local\Temp\instcrin.dll
- C:\Documents and Settings\Administrator\Local Settings\Temp\instcrin.dll
- C:\Users\user\AppData\Local\Temp\instcrin.dll
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Files this sample writes at runtime
This file drops 5 children at runtime. None are currently flagged malicious in our cache.
- 4d82c0a5ca87ad225fa8…e2c191Never scannednever seen before
- cf87c2a055733ba60215…64a7bbNever scannednever seen before
- 216d8c03fc834a2703a9…4c8d25Never scannednever seen before
- cfd0d3cd954fab163d26…d936f4Never scannednever seen before
- abb20c12b8cad6f55883…e6bb08Never scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidencea83f:8110:6700:7500:6c00:6100:7400:6f00
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- ckrn_108.exe
- Size
- 601.5 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- f2466c19e3d0d5cacd26f034dfd36561c39297d19a2936ac31a828065e9839af
- MD5
- 8ff088fa78f39a41315179be3002545d
- SHA-1
- 50c4ecbf3731ea9f96b6d7be2738e7fc97b58bd1
- PE imphash
- 547c94826e733fab0c2f59262339e0b1
- First seen (VT)
- 9/5/2008, 5:01:46 AM
- Last analysis (VT)
- 6/26/2026, 1:19:41 PM
- First scan (MalwareTips)
- 6/28/2026, 5:54:07 PM
- Last scan (MalwareTips)
- 6/28/2026, 5:54:07 PM
- Community reputation
- -2flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.