File verdict·Decided by the MT AI Engine

Our call

Malicious

Item: WINMM.dll
Rating: 1
Author: MalwareTips File Scanner

15 tier-1 antivirus engines converge on Tedy/DLLhijack trojan family; unsigned DLL with rundll32 proxy execution telemetry; 1,474 submissions confirm widespread malware.

Tedy

Trust score8Critical

MT AI confidence · 96%

WINMM.dll

16.3 MB

ba740fc3f76464c5aa…8c3c1b3bc1

Antivirus engines

51 of 75 flagged

Code signing

Unsigned

Age

First seen 1y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

96%Confidence

Very high

Reasoning

The evidence strongly indicates genuine malware. Tier-1 consensus (15/17 engines) with strong family agreement (5 engines on 'win64') is a hallmark of real malware detection, not false positives. Named families (Tedy, DLLhijack, Agent, Packunwan) from reputable engines like BitDefender, Kaspersky, Avira, and ESET rule out generic heuristic noise. The unsigned status and filename mimicking a legitimate Windows DLL (WINMM.dll) are consistent with DLL hijacking tactics. Process telemetry showing rundll32.exe proxy execution (T1218.011) and DLL side-loading (T1574.002) aligns with the threat label. High prevalence (1,236 submitters, 1,474 submissions) confirms this is a known malware sample, not a rare false positive.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

tier1Malicious=15/17 tier-1 engines; tier1FamilyConsensus.strong=true (5 engines agreeing on 'win64')
BitDefender, Kaspersky, Avira, ESET-NOD32, Sophos, Microsoft all flagging with named families (Tedy, DLLhijack, Agent, Packunwan)
Unsigned DLL mimicking legitimate Windows system file (WINMM.dll); behaviour shows rundll32.exe proxy execution (T1218.011) and DLL hijacking patterns
prevalence.classification='common_old' — 1236 submitters, 1474 submissions since June 2025; widely-known malware sample
No malicious sandbox verdict, no contacted malicious hosts, no dropped children — but tier-1 consensus and named families override absence of runtime telemetry

Points in its favour

No malicious sandbox verdict recorded (though sandbox execution occurred)
No contacted malicious hosts in our URL cache
No dropped malicious children detected
No adversarial input flags or brand mismatch

Points against

Tier-1 consensus: 15 of 17 tier-1 engines flagging as malware
Named malware families: Tedy, DLLhijack, Agent, Packunwan across reputable engines
Unsigned DLL mimicking legitimate Windows system file (WINMM.dll)
DLL hijacking execution pattern: rundll32.exe proxy execution (T1218.011, T1574.002)
High prevalence: 1,474 submissions from 1,236 sources since June 2025
64-bit trojan with potential for system-level compromise

What to do

This file is malware and should be removed immediately. Do not execute or open it under any circumstances. Perform a full system scan with updated antivirus software and consider professional incident response if this file was found on a production system.

Threat family attribution

dllhijack corroborated by 2 sources

VT (75 engines)
dllhijack
MT AI Engine
Tedy

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1056.004T1057T1071T1082T1095T1218.011T1574.002

Spawned processes

$(unnamed)

"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\WINMM.dll",#1

$(unnamed)

C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\WINMM.dll"

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WINMM.dll",#1

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WINMM.dll",#1

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\WINMM.dll,CloseDriver

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\WINMM.dll,DefDriverProc

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\WINMM.dll,DriverCallback

+7 more processes captured.

Filesystem & mutexes

Files written1

\Device\ConDrv\\Connect

Mutexes created1

\Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex

No researcher-database hits

External threat-intel sources were not collected for this scan.

Antivirus engine breakdown

51 detections across 75 engines

51 malicious0 suspicious24 clean

Tier-117 engines

15flag

Top commercial AVs (low FP rate)

Tier-238 engines

21flag

Mainstream engines with mixed FP rates

Low-trust20 engines

15flag

Heuristic / generic-AI engines (high FP rate)

Alibaba

malicious

Trojan:Win32/DLLhijack.b110130d

alibabacloud

malicious

Trojan:Win/DLLhijack.wwe

ALYac

malicious

Gen:Variant.Tedy.793704

Antiy-AVL

malicious

Trojan/Win32.DLLhijack

Arcabit

malicious

Trojan.Tedy.DC1C68

Avast

malicious

Win64:MalwareX-gen [Misc]

AVG

malicious

Win64:MalwareX-gen [Misc]

Avira

malicious

TR/W64.Agent

BitDefender

malicious

Gen:Variant.Tedy.793704

Bkav

malicious

W32.Malware.2D8D4FA2

CrowdStrike

malicious

win/malicious_confidence_70% (D)

CTX

malicious

dll.trojan.dllhijack

Cylance

malicious

Unsafe

Cynet

malicious

Malicious (score: 100)

DeepInstinct

malicious

MALICIOUS

Elastic

malicious

malicious (high confidence)

Emsisoft

malicious

Gen:Variant.Tedy.793704 (B)

ESET-NOD32

malicious

Win64/Packed.VMProtect.AA suspicious application

F-Secure

malicious

Trojan.TR/W64.Agent

Fortinet

malicious

Riskware/Application

GData

malicious

Gen:Variant.Tedy.793704

Google

malicious

Detected

Gridinsoft

malicious

Trojan.Heur!.02212022

K7AntiVirus

malicious

Riskware ( 005cdd801 )

K7GW

malicious

Riskware ( 005cdd801 )

Kaspersky

malicious

Trojan.Win32.DLLhijack.wuh

Kingsoft

malicious

Win32.Troj.Unknown.a

Lionic

malicious

Trojan.Win32.DLLhijack.4!c

Malwarebytes

malicious

Malware.AI.2577218073

MaxSecure

malicious

Trojan.Malware.300983.susgen

McAfeeD

malicious

ti!BA740FC3F764

Microsoft

malicious

PUA:Win32/Packunwan

MicroWorld-eScan

malicious

Gen:Variant.Tedy.793704

NANO-Antivirus

malicious

Trojan.Win64.DLLhijack.kylope

Paloalto

malicious

generic.ml

Panda

malicious

Trj/Chgt.AD

Rising

malicious

Trojan.DLLhijack!8.1B50 (CLOUD)

SentinelOne

malicious

Static AI - Suspicious PE

Skyhigh

malicious

Artemis

Sophos

malicious

Mal/Generic-S

Symantec

malicious

Trojan.Gen.MBT

Tencent

malicious

Win32.Trojan.Dllhijack.Nsmw

TrellixENS

malicious

Artemis!FC7F0CB1C8B5

TrendMicro

malicious

Trojan.Win64.DLLHIJACK.USBLHF25

TrendMicro-HouseCall

malicious

Trojan.Win64.DLLHIJACK.USBLHF25

Varist

malicious

W64/ABTrojan.OBUS-6682

VBA32

malicious

Trojan.DLLhijack

VIPRE

malicious

Gen:Variant.Tedy.793704

Webroot

malicious

Win.Trojan.Gen

Yandex

malicious

Trojan.Igent.b5Paym.3

Zillya

malicious

Trojan.DLLhijack.Win32.6

Hash ba740fc3f764… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy9 sections

.text

0.00

.rdata

0.00

.data

0.00

.pdata

0.00

.U@H

0.00

.Qyz

0.24

.#jC

7.89

.reloc

2.71

.rsrc

4.89

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

1,236

Hundreds of people have uploaded this — common.

Total submissions

1,474

Includes repeat uploads by the same source.

First seen by VT

1y ago

Jun 23, 2025

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

6/23/2025, 2:26:43 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/30/2026, 10:43:49 PM

Scanned here

6/28/2026, 11:30:24 AM

File name: WINMM.dll
Size: 16.31 MB
MIME type: (unknown)
Detected type: Win32 DLL
SHA-256: ba740fc3f76464c5aac4409f834f6dc910e5494132f957a28472fc8c3c1b3bc1
MD5: fc7f0cb1c8b54d65d49217bdcadd0acc
SHA-1: 79424b331629aa23e80ee02ac58665cd600da489
PE imphash: 98749fa3bd96823b0ff1ef9486650c7a
First seen (VT): 6/23/2025, 2:26:43 PM
Last analysis (VT): 5/30/2026, 10:43:49 PM
First scan (MalwareTips): 6/28/2026, 11:30:24 AM
Last scan (MalwareTips): 6/28/2026, 11:30:24 AM

Behavior tags

64bitspedll

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.