Malware Analysis Report

2025-08-10 17:59

Sample ID 240116-h6nrjsfbck
Target 5f4be5cdf986f7164e129e9969ded010
SHA256 7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c

Threat Level: Known bad

The file 5f4be5cdf986f7164e129e9969ded010 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-16 07:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 07:21

Reported

2024-01-16 07:23

Platform

win7-20231215-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 2848 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2848 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2848 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2848 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2784 wrote to memory of 2660 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2784 wrote to memory of 2660 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2784 wrote to memory of 2660 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2784 wrote to memory of 2660 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2660 wrote to memory of 2580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2580 wrote to memory of 640 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2580 wrote to memory of 640 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2580 wrote to memory of 640 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2580 wrote to memory of 640 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 640 wrote to memory of 580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 580 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 580 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 580 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 580 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2920 wrote to memory of 2944 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2944 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2944 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2944 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2944 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1784 wrote to memory of 572 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 572 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 572 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 572 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 572 wrote to memory of 2264 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2264 wrote to memory of 2312 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2264 wrote to memory of 2312 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2264 wrote to memory of 2312 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2264 wrote to memory of 2312 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 496 "C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 532 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 536 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 532 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 540 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2848-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2848-4-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2848-6-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2848-7-0x0000000000400000-0x00000000004FA000-memory.dmp

\Windows\SysWOW64\wmplayer.exe

MD5 5f4be5cdf986f7164e129e9969ded010
SHA1 bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
SHA256 7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
SHA512 fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4

memory/2848-18-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2784-28-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2784-29-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2784-33-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2580-41-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2580-45-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/580-54-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/580-58-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2944-67-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2944-71-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/572-80-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/572-84-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2312-92-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2312-96-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/292-104-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/292-105-0x0000000000400000-0x00000000004FA000-memory.dmp

\Windows\SysWOW64\wmplayer.exe

MD5 904e4e34cc63bb5539926b45e0c30512
SHA1 06200ddfdffe002ba1ebadf4afe22e527c93f561
SHA256 e26f837ef7c451c1f0d114eac752fd0893d797fa81ce325f7fce67680df021c2
SHA512 8a7ba3d2859c7159c7ee77d23c82478f4636229932218112b80f3486c297ba67a97b21001c8ec04fb5fd99df43d69dd8bf8a657f07c1d7d21ce7d9a25bd54d64

C:\Windows\SysWOW64\wmplayer.exe

MD5 b8dc52d7ed6a8d7d025c234466e277d1
SHA1 dc16b2e49ae2ea2b9ad2614625fe04618e5105b1
SHA256 404bdac97706a187e7a376b9f4095bcb53cf8d916cdbea0463660711c76258cc
SHA512 942b623650d49f09ff8b251f6acff9e56dfe1d65c7864e6157a1b0601fde2fbd1f4dc360b9d3ed7644fb47112a79204b504545609ce003f24b59bf2e2a801513

memory/292-109-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2844-117-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2844-121-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/3036-130-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/3036-134-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2040-142-0x0000000000400000-0x00000000004FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 07:21

Reported

2024-01-16 07:23

Platform

win10v2004-20231222-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File created C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe
PID 4032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4880 wrote to memory of 5024 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4880 wrote to memory of 5024 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4880 wrote to memory of 5024 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4880 wrote to memory of 5024 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4880 wrote to memory of 5024 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 5024 wrote to memory of 4400 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 5024 wrote to memory of 4400 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 5024 wrote to memory of 4400 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4400 wrote to memory of 4632 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4400 wrote to memory of 4632 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4400 wrote to memory of 4632 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4400 wrote to memory of 4632 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4400 wrote to memory of 4632 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4632 wrote to memory of 3060 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4632 wrote to memory of 3060 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4632 wrote to memory of 3060 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3060 wrote to memory of 1256 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3060 wrote to memory of 1256 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3060 wrote to memory of 1256 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3060 wrote to memory of 1256 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3060 wrote to memory of 1256 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1256 wrote to memory of 4612 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1256 wrote to memory of 4612 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1256 wrote to memory of 4612 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4612 wrote to memory of 2204 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4612 wrote to memory of 2204 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4612 wrote to memory of 2204 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4612 wrote to memory of 2204 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4612 wrote to memory of 2204 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2204 wrote to memory of 3460 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2204 wrote to memory of 3460 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 2204 wrote to memory of 3460 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3460 wrote to memory of 4052 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3460 wrote to memory of 4052 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3460 wrote to memory of 4052 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3460 wrote to memory of 4052 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3460 wrote to memory of 4052 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4052 wrote to memory of 3604 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4052 wrote to memory of 3604 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4052 wrote to memory of 3604 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3604 wrote to memory of 1580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3604 wrote to memory of 1580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3604 wrote to memory of 1580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3604 wrote to memory of 1580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 3604 wrote to memory of 1580 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1580 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1580 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 1580 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4820 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4820 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe
PID 4820 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wmplayer.exe C:\Windows\SysWOW64\wmplayer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1000 "C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1160 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"

C:\Windows\SysWOW64\wmplayer.exe

C:\Windows\SysWOW64\wmplayer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4032-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4032-2-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4032-3-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Windows\SysWOW64\wmplayer.exe

MD5 5f4be5cdf986f7164e129e9969ded010
SHA1 bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
SHA256 7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
SHA512 fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4

memory/4032-10-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/5024-14-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/5024-15-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/5024-17-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4632-22-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4632-24-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1256-29-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1256-31-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2204-36-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2204-38-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4052-43-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4052-45-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1580-50-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1580-52-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4820-57-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4820-59-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1376-64-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1376-66-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/3164-71-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Windows\SysWOW64\wmplayer.exe

MD5 317cc731079dba5b72b6cc95183e7eff
SHA1 905c5fc402dca354115ed11e16b236efe1ba8e19
SHA256 2306b6df780429f9680cd7e458a7bbd61497b8b7a985260f658aa9ef5bdb7e17
SHA512 17615491a5da39e058ffcf88c71e488502a1ed886b6fcfecde23525490e96b1cd3a9567b3493782d89fa61a47f579cf863a682cf07449d9576a9590f42a94407

memory/3164-73-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1032-78-0x0000000000400000-0x00000000004FA000-memory.dmp