File verdict·Decided by the MT AI Engine

Our call

Safe

Item: AIR.Music.Technology.Xpand!.2.v2.4.0-TCD.exe
Rating: 4.5
Author: MalwareTips File Scanner

Legitimate AIR Music Technology Xpand!2 v2.4.0 synthesizer installer; low-trust engine false positive on standard installer behaviors.

Trust score88High trust

MT AI confidence · 92%

AIR.Music.Technology.Xpand!.2.v2.4.0-TCD.exe

8.5 MB

f40859e3e89e11773f…078cb09a65

Antivirus engines

1 of 74 flagged

Code signing

Unsigned

Age

First seen 8mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence

Very high

Reasoning

The file is confirmed as a legitimate commercial software installer for AIR Music Technology Xpand!2 v2.4.0, a widely-used VST synthesizer plugin sold through official channels. Only 1 of 70 reporting engines flagged it (APEX, low-trust tier), while 16 tier-1 engines remain silent—a classic false positive pattern. The triggered heuristics on process injection and LSASS access are standard behaviors for Inno Setup installers during extraction and initialization, not malware indicators. The file's prevalence (common_old, 408 sources, 248 days) is consistent with legitimate widely-distributed software. No malicious sandbox verdicts, dropped children, contacted hosts, or external intelligence hits support the low-trust flag.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.tier1Malicious=0; engines.onlyLowTrustFlagging=true; APEX (low-trust) sole malicious flag — classic FP pattern
Web search confirms AIR Music Technology Xpand!2 v2.4.0 legitimate commercial product, official release October 24, 2025
triggeredHeuristics: T1055/T1134/T1485/T1486 are standard Inno Setup installer behaviors, not malware indicators
prevalence.classification='common_old' (408 sources, 473 submissions, 248 days) — consistent with legitimate widely-distributed software
behaviour: no malicious sandbox verdict, no malicious children (0/10), no malicious contacted hosts, no external intel hits (CIRCL/YARAify/MalwareBazaar)

Points in its favour

Confirmed legitimate commercial software (AIR Music Technology Xpand!2 v2.4.0)
All 16 tier-1 antivirus engines report clean
Widespread prevalence (408 sources, 473 submissions, 248 days)
No malicious sandbox verdicts, dropped children, or contacted hosts
No external threat intelligence hits (CIRCL, YARAify, MalwareBazaar)

What to do

This file is safe. It is the legitimate Xpand!2 v2.4.0 synthesizer installer from AIR Music Technology. The single low-trust detection is a false positive on standard installer behavior. Proceed with installation if downloaded from official channels.

Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file

1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.

Verdict treated these as likely false positives.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1027.009T1033T1045T1055T1057T1059T1063T1070T1071T1082T1083T1105T1107T1129T1134T1140T1485T1486T1497T1497.001T1529+2 more

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\program.exe"

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\is-0R9C4.tmp\program.tmp" /SL5="$60068,7360737,828928,C:\Users\<USER>\Desktop\program.exe"

$(unnamed)

C:\Windows\Explorer.EXE

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

C:\Windows\System32\svchost.exe -k NetworkService -p

$(unnamed)

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

$(unnamed)

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

$(unnamed)

C:\Windows\system32\lsass.exe

+7 more processes captured.

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\is-0R9C4.tmp\program.tmp
C:\Users\<USER>\AppData\Local\Temp\is-69QH6.tmp\_isetup\_setup64.tmp
C:\Program Files\Vstplugins\AIR Music Technology\Xpand!2_x64.dll
C:\Program Files (x86)\AIR Music Technology\Xpand!2\unins000.dat
C:\Program Files (x86)\AIR Music Technology\Xpand!2\is-6SO83.tmp

+10 more

Files deleted15

C:\Program Files (x86)\AIR Music Technology\Xpand!2\is-6SO83.tmp
C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\is-I47BU.tmp
C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\is-JEVLA.tmp
C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\is-EU0JF.tmp
C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\is-AUIMH.tmp

+10 more

Mutexes created7

cversions.3.m
Local\MSCTF.Asm.MutexDefault1
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
DefaultTabtip-MainUI

+2 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

2eb02175a21c33a9048a…8080daNever scanned
never seen before
075df1a3b1bb5a500805…ad97ecNever scanned
never seen before
b0656efb409f13119ab4…a27969Never scanned
never seen before
a0be140651097cfeb37b…0fc118Never scanned
never seen before
dea439cbb5132ef3b519…92c32bNever scanned
never seen before
58e33ba90806c5ad5d43…52f55bNever scanned
never seen before
78a5259a175b23236749…ffe200Never scanned
never seen before
4158b4f4bc4b78950493…fb51c8Never scanned
never seen before
2c99cbcf13470c576a24…d64501Never scanned
never seen before
0a3a2dcdabea206eae7a…f17ba2Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis

MITRE ATT&CK profile

Defense evasion× 1Cred access× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\Explorer.EXE
CredentialDumper
T1003 T1003.001
medium
Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
Evidence
C:\Windows\system32\lsass.exe

Antivirus engine breakdown

1 detection across 74 engines

1 malicious0 suspicious73 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-237 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

1flag

Heuristic / generic-AI engines (high FP rate)

APEX

malicious

Malicious

Hash f40859e3e89e… cross-referenced against 74 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked

Section entropy10 sections

.text

6.40

.itext

6.15

.data

5.19

.bss

0.00

.idata

4.80

.didata

2.75

.edata

1.25

.tls

0.00

.rdata

1.38

.reloc

6.71

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

408

Hundreds of people have uploaded this — common.

Total submissions

473

Includes repeat uploads by the same source.

First seen by VT

8mo ago

Oct 24, 2025

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

10/24/2025, 3:30:30 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/24/2026, 4:28:14 AM

Scanned here

6/29/2026, 9:45:42 AM

File name: AIR.Music.Technology.Xpand!.2.v2.4.0-TCD.exe
Size: 8.54 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: f40859e3e89e11773f86c9978bdfed8aefb1b714566d444601d4b4078cb09a65
MD5: 05ad4d0c01e01c8d39adda87872f870b
SHA-1: 2bc872b7c0aff168b260e9f5911e8899ca7213ec
PE imphash: e8ac1646024d52d1534a88da2e8037cd
First seen (VT): 10/24/2025, 3:30:30 PM
Last analysis (VT): 6/24/2026, 4:28:14 AM
First scan (MalwareTips): 6/29/2026, 9:45:42 AM
Last scan (MalwareTips): 6/29/2026, 9:45:42 AM

Behavior tags

peexeoverlay

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.