f4465403f9693939fe9c439f0ab33610
Hash
- MD5: f4465403f9693939fe9c439f0ab33610
- SHA1: dcc95dba4433867edb00898e59ffe171d4cb07bb
- SHA256: 929dbf16ee3a1b088d09dac820058c02d639b45912b02b334384754d073a581f
- First Seen: 2026-05-14
- Last Seen: 2026-05-14
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "929dbf16ee3a1b088d09dac820058c02d639b45912b02b334384754d073a581f",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/929dbf16ee3a1b088d09dac820058c02d639b45912b02b334384754d073a581f"
},
"attributes": {
"total_votes": {
"harmless": 0,
"malicious": 1
},
"last_modification_date": 1780346851,
"type_extension": "dll",
"md5": "f4465403f9693939fe9c439f0ab33610",
"magic": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"last_analysis_stats": {
"malicious": 57,
"suspicious": 0,
"undetected": 14,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 4
},
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 25
},
{
"value": "dropper",
"count": 7
},
{
"value": "worm",
"count": 1
}
],
"suggested_threat_label": "trojan.sysn/doina",
"popular_threat_name": [
{
"value": "sysn",
"count": 9
},
{
"value": "doina",
"count": 6
},
{
"value": "kimsuky",
"count": 6
}
]
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Binaries Write Suspicious Extensions",
"rule_description": "Detects Windows executables that write files with suspicious extensions",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"TargetFilename": "C:\\ProgramData\\temp\\6995.tmp.bat",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"TargetFilename": "C:\\ProgramData\\temp\\6996.tmp.bat",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"EventID": "11",
"TargetFilename": "C:\\ProgramData\\temp\\6DBC.tmp.bat"
}
},
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"TargetFilename": "C:\\ProgramData\\temp\\6E39.tmp.bat",
"EventID": "11"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "UNC2452 Process Creation Patterns",
"rule_description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"Description": "Windows Command Processor",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe C:\\Users\\george\\Desktop\\attachment.dll,DllRegisterServer",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6995.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\george\\Desktop\\attachment.dll\",#1",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6996.tmp.bat",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\george\\Desktop\\attachment.dll\",#1",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6DBC.tmp.bat",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe C:\\Users\\george\\Desktop\\attachment.dll,DllRegisterServer",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6E39.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "DNS Query Request By Regsvr32.EXE",
"rule_description": "Detects DNS queries initiated by \"Regsvr32.exe\"",
"rule_author": "Dmitriy Lifanov, oscd.community",
"match_context": [
{
"values": {
"QueryStatus": "9003",
"QueryName": "help.mappo-on.life",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"EventID": "22"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Unusual Parent Process For Cmd.EXE",
"rule_description": "Detects suspicious parent process for cmd.exe",
"rule_author": "Tim Rauch, Elastic (idea)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\init.dll",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\3010.tmp.bat",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\init.dll",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\3476.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "regsvr32.exe /s C:\\Users\\george\\Desktop\\attachment.dll",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6997.tmp.bat",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=502285D9914448259E73B18843B088FE972841D6,MD5=F3BDBE3BB6F734E357235F4D5898582D,SHA256=3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744,IMPHASH=0AF8419BE362159398343D7B31721726",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "regsvr32.exe /s C:\\Users\\george\\Desktop\\attachment.dll",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\temp\\6DBD.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "49c4c4517c1ca707a5dfadad1b8db8afe6380c4546c944335aee3a1fadcc5542",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Regsvr32 Execution From Potential Suspicious Location",
"rule_description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=878E47C8656E53AE8A8A21E927C6F7E0,SHA256=31AEE70F9705F6578C6B41849EA3B5A948A446F494F24BEFCF5B169A1C2A71D2,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "REGSVR32.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\init.dll",
"CommandLine": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=88630F60E73454670A7D9B64C98B4798D1DE8872,MD5=426E7499F6A7346F0410DEAD0805586B,SHA256=4DC13CBE6F048809D49B0095B1691104E5A64ECA6BCC2A6243C074CB91D038E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Microsoft(C) Register Server",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\george\\Desktop\\attachment.dll\",#1",
"CommandLine": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "SHA1=88630F60E73454670A7D9B64C98B4798D1DE8872,MD5=426E7499F6A7346F0410DEAD0805586B,SHA256=4DC13CBE6F048809D49B0095B1691104E5A64ECA6BCC2A6243C074CB91D038E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "regsvr32.exe /s C:\\Users\\george\\Desktop\\attachment.dll",
"CommandLine": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\george\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "SHA1=88630F60E73454670A7D9B64C98B4798D1DE8872,MD5=426E7499F6A7346F0410DEAD0805586B,SHA256=4DC13CBE6F048809D49B0095B1691104E5A64ECA6BCC2A6243C074CB91D038E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "rundll32.exe C:\\Users\\george\\Desktop\\attachment.dll,DllRegisterServer",
"CommandLine": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=3B9DD8D84C888DA77EB06CFB43E393DD50E0CE6F,MD5=D78B75FC68247E8A63ACBA846182740E,SHA256=12E08492893DBCE4C120D69205C82C32C1AC556D2C244B3B536018A5A274355E,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "REGSVR32.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Microsoft(C) Register Server",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5be9da0a90b142239a3ff2819edf2283938855da3b4c80d63d8e6db63c2c4fe7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Hidden Executable In NTFS Alternate Data Stream",
"rule_description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash",
"rule_author": "Florian Roth (Nextron Systems), @0xrawsec",
"match_context": [
{
"values": {
"EventID": "15",
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"TargetFilename": "C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll",
"Hash": "SHA1=DCC95DBA4433867EDB00898E59FFE171D4CB07BB,MD5=F4465403F9693939FE9C439F0AB33610,SHA256=929DBF16EE3A1B088D09DAC820058C02D639B45912B02B334384754D073A581F,IMPHASH=17660921FBE4FBAAC23D79329E99EA65"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventType": "SetValue",
"Details": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefenderAutoUpdate"
}
},
{
"values": {
"EventID": "13",
"Details": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1015118539-3749460369-599379286-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefenderAutoUpdate"
}
},
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\SysWOW64\\rundll32.exe",
"Details": "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"TargetObject": "HKU\\S-1-5-21-1015118539-3749460369-599379286-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefenderAutoUpdate"
}
},
{
"values": {
"EventID": "13",
"EventType": "SetValue",
"Details": "regsvr32.exe /s \"%ProgramData%\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"",
"TargetObject": "HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefenderAutoUpdate"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Network Connection Initiated By Regsvr32.EXE",
"rule_description": "Detects a network connection initiated by \"Regsvr32.exe\"",
"rule_author": "Dmitriy Lifanov, oscd.community",
"match_context": [
{
"values": {
"SourceIsIpv6": "true",
"DestinationPort": "53",
"DestinationIp": "808:808:d882:8ff:d882:8ff:d882:8ff",
"Protocol": "udp",
"SourceIp": "c0a8:209:6e00:7300:f870:a4c1:3ac:ffff",
"DestinationIsIpv6": "true",
"EventID": "3",
"SourcePort": "56481",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "true",
"DestinationPort": "53",
"DestinationIp": "808:808:d882:8ff:d882:8ff:d882:8ff",
"Protocol": "udp",
"SourceIp": "c0a8:209:6e00:7300:f870:a4c1:3ac:ffff",
"DestinationIsIpv6": "true",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"SourcePort": "56057",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "true",
"DestinationPort": "53",
"Initiated": "true",
"Protocol": "udp",
"SourceIp": "c0a8:209:6e00:7300:f870:a4c1:3ac:ffff",
"DestinationIsIpv6": "true",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"SourcePort": "55537",
"DestinationIp": "808:808:d882:8ff:d882:8ff:d882:8ff"
}
},
{
"values": {
"SourceIsIpv6": "true",
"DestinationPort": "53",
"Initiated": "true",
"Protocol": "udp",
"SourceIp": "c0a8:209:6e00:7300:f870:a4c1:3ac:ffff",
"DestinationIsIpv6": "true",
"EventID": "3",
"SourcePort": "58584",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"DestinationIp": "808:808:d882:8ff:d882:8ff:d882:8ff"
}
},
{
"values": {
"SourceIsIpv6": "true",
"DestinationPort": "53",
"DestinationIp": "808:808:d882:8ff:d882:8ff:d882:8ff",
"Protocol": "udp",
"SourceIp": "c0a8:209:6e00:7300:f870:a4c1:3ac:ffff",
"DestinationIsIpv6": "true",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"SourcePort": "56693",
"Initiated": "true"
}
}
]
}
],
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260525",
"category": "malicious",
"result": "W32.Malware.B856F025"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Win32.Sysn.b!c"
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Gen:Variant.Doina.104489"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260525",
"category": "malicious",
"result": "BehavesLike.Win32.Worm.dh"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260526",
"category": "malicious",
"result": "Backdoor.Agent.status"
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "malicious",
"result": "Unsafe"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260525",
"category": "malicious",
"result": "Gen:Variant.Doina.104489"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "malicious",
"result": "Dropper.Win32.Kimsuky.Vf33"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59615",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan ( 005d33b71 )"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260526",
"category": "malicious",
"result": "Gen:Variant.Doina.104489"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59617",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan ( 005d33b71 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "malicious",
"result": "win/malicious_confidence_100% (W)"
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Doina.D19829"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1214",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan.Gen.MBT"
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.261",
"engine_update": "20260525",
"category": "malicious",
"result": "malicious (high confidence)"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Win32/Kimsuky.F trojan"
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "malicious",
"result": "Malicious"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "TROJ_GEN.R002C0PEE26"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Win32:MalwareX-gen [Trj]"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Win.Malware.Bulz-10030190-0"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR:Trojan-Dropper.Win32.Sysn.gen"
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "malicious",
"result": "TrojanDropper:Win32/Kimsuky.cef30e6c"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Win32.Sysn.hzqhfm"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Win.C.Sysn.242688.A"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "malicious",
"result": "Malware.Win32.Gencirc.10bde7a4"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Mal/Generic-S"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779782449",
"engine_update": "20260526",
"category": "malicious",
"result": "Detected"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.TR/W32.MalwareX"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.DownLoader35.1673"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5608",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan.NukeSped.Win32.290"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "TROJ_GEN.R002C0PEE26"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260526",
"category": "malicious",
"result": "ti!929DBF16EE3A"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "malicious",
"result": "Static AI - Suspicious PE"
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260526",
"category": "malicious",
"result": "dll.trojan.sysn"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260526",
"category": "malicious",
"result": "Gen:Variant.Doina.104489 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Win32.Kimsuky"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260525",
"category": "malicious",
"result": "TrojanDropper.Sysn.fxn"
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260526",
"category": "malicious",
"result": "W32/ABRisk.XMNY-5044"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260526",
"category": "malicious",
"result": "TR/W32.MalwareX"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan[Dropper]/Win32.Sysn"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260524",
"category": "malicious",
"result": "Win32.Trojan-Dropper.Sysn.gen"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38677",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan:Win32/Multiverze!rfn"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107039",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44681AVA:64.31308",
"engine_update": "20260526",
"category": "malicious",
"result": "Gen:Variant.Doina.104489"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260526",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan/Win.Agent.C5886188"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260526",
"category": "malicious",
"result": "TrojanDropper.Sysn"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-26.02",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260526",
"category": "malicious",
"result": "MALICIOUS"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260526",
"category": "malicious",
"result": "Malware.AI.3850684316"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260525",
"category": "malicious",
"result": "Trj/GdSda.A"
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260526",
"category": "malicious",
"result": "Backdoor.[Lazarus]NukeSped!1.CF6B (CLASSIC)"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.NukeSped!AhCxF0xJ6Og"
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260525",
"category": "malicious",
"result": "GenericRXMK-IX!F4465403F969"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "b8a15cc:b8a15cc:e0fccfc:e0fccfc",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Malware.221268428.susgen"
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260526",
"category": "malicious",
"result": "W32/Kimsuky.F!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Win32:MalwareX-gen [Trj]"
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260526",
"category": "malicious",
"result": "generic.ml"
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Kimsuky.F"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260526-00",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
}
},
"type_tags": [
"executable",
"windows",
"win32",
"pe",
"pedll"
],
"last_analysis_date": 1779790125,
"first_seen_itw_date": 1716118991,
"authentihash": "1c703bf2fc675b9d1015b2eb75293ef22772c91648f72a35bd44f3d9e05046f5",
"type_tag": "pedll",
"ssdeep": "6144:aZEegG/DP1xTLTIJicJeYcqIbswj1YOj:apg8tx3TNcJEqQsDOj",
"meaningful_name": "xy7z5tr.exe",
"reputation": -52,
"tlsh": "T160345C2BB981C135D87F02B4D4B557DAA818B963776448CBF3C10F9A4D63BD3AEA110E",
"size": 242688,
"times_submitted": 1,
"type_description": "Win32 DLL",
"filecondis": {
"dhash": "747e3e3e2e171a04",
"raw_md5": "b9fb77924b5bdf5cb9577a5fc0a9ddaf"
},
"crowdsourced_ids_results": [
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO Observed DNS Query to .life TLD",
"rule_id": "1:2027867",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert dns $HOME_NET any -> any any (msg:\"ET INFO Observed DNS Query to .life TLD\"; dns.query; content:\".life\"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027867; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_11_21;)",
"rule_references": [
"https://www.spamhaus.org/statistics/tlds/"
],
"alert_context": [
{
"dest_ip": "8.8.8.8",
"dest_port": 53
}
]
}
],
"unique_sources": 1,
"tags": [
"spreader",
"pedll",
"persistence",
"long-sleeps",
"detect-debug-environment",
"checks-user-input"
],
"last_submission_date": 1716110342,
"sandbox_verdicts": {
"C2AE": {
"category": "malicious",
"malware_classification": [
"RAT"
],
"sandbox_name": "C2AE",
"malware_names": [
"KimsukiRAT"
],
"confidence": 50
}
},
"pe_info": {
"timestamp": 1602549423,
"imphash": "17660921fbe4fbaac23d79329e99ea65",
"machine_type": 332,
"entry_point": 94000,
"resource_details": [
{
"lang": "ENGLISH US",
"chi2": 4031.47,
"filetype": "XML",
"entropy": 4.911615371704102,
"sha256": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df",
"type": "RT_MANIFEST"
}
],
"resource_langs": {
"ENGLISH US": 1
},
"resource_types": {
"RT_MANIFEST": 1
},
"sections": [
{
"name": ".text",
"chi2": 1058040.62,
"virtual_address": 4096,
"flags": "rx",
"raw_size": 171520,
"entropy": 6.56,
"virtual_size": 171373,
"md5": "16b628cd0a7d25534dd11ca0c86de064"
},
{
"name": ".rdata",
"chi2": 2421072.25,
"virtual_address": 176128,
"flags": "r",
"raw_size": 52224,
"entropy": 4.65,
"virtual_size": 51822,
"md5": "898032d414a29c33c38683d594cdaf6d"
},
{
"name": ".data",
"chi2": 577707.94,
"virtual_address": 229376,
"flags": "rw",
"raw_size": 6144,
"entropy": 3.66,
"virtual_size": 14912,
"md5": "18185ee258a8b561064273e868582a72"
},
{
"name": ".cvbnm,0",
"chi2": 12345.78,
"virtual_address": 245760,
"flags": "rx",
"raw_size": 3072,
"entropy": 7.34,
"virtual_size": 2768,
"md5": "3e4c58910d1e1bc408d7786aed4117fc"
},
{
"name": ".reloc",
"chi2": 32091.62,
"virtual_address": 249856,
"flags": "r",
"raw_size": 8192,
"entropy": 6.64,
"virtual_size": 8184,
"md5": "b694e39d0cdd096a30e48a2b2cdafd7c"
},
{
"name": ".rsrc",
"chi2": 9288.0,
"virtual_address": 258048,
"flags": "r",
"raw_size": 512,
"entropy": 4.72,
"virtual_size": 469,
"md5": "f0622d49b1274e2b2853e8522e5aa426"
}
],
"exports": [
"DllRegisterServer"
],
"compiler_product_versions": [
"[---] Unmarked objects count=107",
"[EXP] VS2012 build 50727 count=1",
"[RES] VS2012 build 50727 count=1",
"[LNK] VS2012 build 50727 count=1",
"id: 0xc7, version: 41118 count=2",
"id: 0xcd, version: 50628 count=29",
"id: 0xcf, version: 50628 count=71",
"id: 0xce, version: 50628 count=213",
"id: 0xb9, version: 30716 count=5",
"id: 0xd3, version: 50727 count=18"
],
"rich_pe_header_hash": "ec6b85d5334a4775d0ae31c48a4bf720",
"import_list": [
{
"library_name": "KERNEL32.dll",
"imported_functions": [
"CloseHandle",
"CompareStringEx",
"CreateFileMappingW",
"CreateFileW",
"DecodePointer",
"DeleteCriticalSection",
"EncodePointer",
"EnterCriticalSection",
"ExitProcess",
"FileTimeToDosDateTime",
"FileTimeToSystemTime",
"FindClose",
"FindFirstFileW",
"FindNextFileW",
"FlsAlloc",
"FlsFree",
"FlsGetValue",
"FlsSetValue",
"FlushFileBuffers",
"FreeEnvironmentStringsW",
"GetACP",
"GetCommandLineA",
"GetConsoleCP",
"GetConsoleMode",
"GetCPInfo",
"GetCurrentProcess",
"GetCurrentThreadId",
"GetEnvironmentStringsW",
"GetFileInformationByHandle",
"GetFileSize",
"GetFileType",
"GetLastError",
"GetLocalTime",
"GetModuleFileNameA",
"GetModuleFileNameW",
"GetModuleHandleExW",
"GetModuleHandleW",
"GetOEMCP",
"GetProcAddress",
"GetProcessHeap",
"GetStartupInfoW",
"GetStdHandle",
"GetStringTypeW",
"GetSystemTime",
"GetSystemTimeAsFileTime",
"GetTickCount64",
"GetTimeZoneInformation",
"HeapAlloc",
"HeapFree",
"HeapReAlloc",
"HeapSize",
"InitializeCriticalSectionAndSpinCount",
"InitializeCriticalSectionEx",
"InitOnceExecuteOnce",
"InterlockedDecrement",
"InterlockedIncrement",
"IsBadReadPtr",
"IsDebuggerPresent",
"IsProcessorFeaturePresent",
"IsValidCodePage",
"LCMapStringEx",
"LeaveCriticalSection",
"LoadLibraryA",
"LoadLibraryExW",
"LoadLibraryW",
"MapViewOfFile",
"MultiByteToWideChar",
"OutputDebugStringW",
"QueryPerformanceCounter",
"RaiseException",
"ReadConsoleW",
"ReadFile",
"RtlUnwind",
"SetEnvironmentVariableA",
"SetFilePointer",
"SetFilePointerEx",
"SetLastError",
"SetStdHandle",
"SetUnhandledExceptionFilter",
"Sleep",
"SystemTimeToFileTime",
"TerminateProcess",
"UnhandledExceptionFilter",
"UnmapViewOfFile",
"WideCharToMultiByte",
"WriteConsoleW",
"WriteFile"
]
},
{
"library_name": "ADVAPI32.dll",
"imported_functions": [
"AdjustTokenPrivileges",
"GetTokenInformation",
"LookupPrivilegeValueA",
"OpenProcessToken"
]
}
]
},
"detectiteasy": {
"filetype": "PE32",
"values": [
{
"info": "DLL32",
"version": "2012 update 4",
"type": "Compiler",
"name": "EP:Microsoft Visual C/C++"
},
{
"info": "LTCG/C++",
"version": "17.00.50727",
"type": "Compiler",
"name": "Microsoft Visual C/C++"
},
{
"version": "11.00.50727",
"type": "Linker",
"name": "Microsoft Linker"
},
{
"version": "2012",
"type": "Tool",
"name": "Visual Studio"
}
]
},
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 6,
"low": 0
}
},
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 6,
"low": 0
},
"vhash": "125066655d1775655048z57?z1",
"trid": [
{
"file_type": "Win32 Dynamic Link Library (generic)",
"probability": 22.9
},
{
"file_type": "Win64 Executable (generic)",
"probability": 22.7
},
{
"file_type": "Win16 NE executable (generic)",
"probability": 17.5
},
{
"file_type": "Win32 Executable (generic)",
"probability": 15.7
},
{
"file_type": "OS/2 Executable (generic)",
"probability": 7.0
}
],
"creation_date": 1602549423,
"sha256": "929dbf16ee3a1b088d09dac820058c02d639b45912b02b334384754d073a581f",
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 1,
"info": 0
},
"magika": "PEBIN",
"first_submission_date": 1716110342,
"sha1": "dcc95dba4433867edb00898e59ffe171d4cb07bb",
"names": [
"xy7z5tr.exe",
"AutoUpdate.dll",
"2020-10-16_07-52_3d235aa8f66ddeec5dc4268806c22229_5557ff56(web)CN_00"
]
}
}
}
Related Reports
2026-05-14
Kaspersky