Malware Analysis Report

2024-10-23 20:00

Sample ID 240518-sjm7lshd83
Target WannaCryPlus.exe
SHA256 55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
Tags
wannacry ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3

Threat Level: Known bad

The file WannaCryPlus.exe was found to be: Known bad.

Malicious Activity Summary

wannacry ransomware worm

Wannacry

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-18 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 15:09

Reported

2024-05-18 15:10

Platform

win7-20240508-en

Max time kernel

28s

Max time network

28s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCryPlus.dll,#1

Signatures

Wannacry

ransomware worm wannacry

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\mssecsvc.exe N/A
N/A N/A C:\WINDOWS\mssecsvc.exe N/A
N/A N/A C:\WINDOWS\tasksche.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\WINDOWS\mssecsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\WINDOWS\mssecsvc.exe N/A
File created C:\WINDOWS\mssecsvc.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\WINDOWS\mssecsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\WINDOWS\mssecsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadNetworkName = "Network 3" C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A} C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecisionReason = "1" C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecision = "0" C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecisionReason = "1" C:\WINDOWS\mssecsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\WINDOWS\mssecsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\WINDOWS\mssecsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\WINDOWS\mssecsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\WINDOWS\mssecsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecisionTime = c0d3867035a9da01 C:\WINDOWS\mssecsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecisionTime = c0d3867035a9da01 C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\WINDOWS\mssecsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51 C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\12-d2-84-98-05-51 C:\WINDOWS\mssecsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecision = "0" C:\WINDOWS\mssecsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\WINDOWS\mssecsvc.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCryPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCryPlus.dll,#1

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe -m security

C:\WINDOWS\tasksche.exe

C:\WINDOWS\tasksche.exe /i

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com udp
US 104.16.167.228:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com tcp
US 104.16.167.228:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com tcp
ZA 197.81.250.29:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.2.1:445 tcp
N/A 10.127.3.1:445 tcp
N/A 10.127.4.1:445 tcp
N/A 10.127.5.1:445 tcp
N/A 10.127.6.1:445 tcp
N/A 10.127.7.1:445 tcp
N/A 10.127.8.1:445 tcp
N/A 10.127.9.1:445 tcp
N/A 10.127.10.1:445 tcp
AU 124.148.227.172:445 tcp
N/A 10.127.12.1:445 tcp
N/A 10.127.11.1:445 tcp
N/A 10.127.17.1:445 tcp
N/A 10.127.18.1:445 tcp
N/A 10.127.13.1:445 tcp
N/A 10.127.21.1:445 tcp
N/A 10.127.15.1:445 tcp
N/A 10.127.19.1:445 tcp
US 75.194.127.105:445 tcp
N/A 10.127.14.1:445 tcp
N/A 10.127.16.1:445 tcp
FI 65.21.198.26:445 tcp
N/A 10.127.20.1:445 tcp
N/A 10.127.22.1:445 tcp
N/A 10.127.23.1:445 tcp
N/A 10.127.24.1:445 tcp
N/A 10.127.25.1:445 tcp
N/A 10.127.26.1:445 tcp
N/A 10.127.27.1:445 tcp
N/A 10.127.28.1:445 tcp
N/A 10.127.29.1:445 tcp
N/A 10.127.30.1:445 tcp
N/A 10.127.31.1:445 tcp
N/A 10.127.32.1:445 tcp
US 209.43.253.1:445 tcp
IN 223.185.116.91:445 tcp
N/A 10.127.38.1:445 tcp
N/A 10.127.36.1:445 tcp
N/A 10.127.34.1:445 tcp
N/A 10.127.33.1:445 tcp
N/A 10.127.41.1:445 tcp
US 22.165.191.5:445 tcp
N/A 10.127.35.1:445 tcp
N/A 10.127.40.1:445 tcp
N/A 10.127.37.1:445 tcp
CN 119.39.46.165:445 tcp
N/A 10.127.39.1:445 tcp
N/A 10.127.42.1:445 tcp
N/A 10.127.43.1:445 tcp
N/A 10.127.44.1:445 tcp
US 104.47.70.189:445 tcp
N/A 10.127.45.1:445 tcp
N/A 10.127.46.1:445 tcp
N/A 10.127.47.1:445 tcp
N/A 10.127.48.1:445 tcp
N/A 10.127.49.1:445 tcp
N/A 10.127.50.1:445 tcp
US 21.33.64.99:445 tcp
JP 60.135.39.155:445 tcp
N/A 10.127.54.1:445 tcp
N/A 10.127.52.1:445 tcp
N/A 10.127.55.1:445 tcp
US 99.142.207.61:445 tcp
N/A 10.127.51.1:445 tcp
N/A 10.127.53.1:445 tcp
N/A 10.127.57.1:445 tcp
N/A 10.127.58.1:445 tcp
N/A 10.127.60.1:445 tcp
US 55.57.0.220:445 tcp
N/A 10.127.61.1:445 tcp
N/A 10.127.64.1:445 tcp
N/A 10.127.56.1:445 tcp
US 66.62.66.133:445 tcp
N/A 10.127.59.1:445 tcp
N/A 10.127.62.1:445 tcp
N/A 10.127.63.1:445 tcp
N/A 10.127.65.1:445 tcp
US 129.209.240.226:445 tcp
N/A 10.127.66.1:445 tcp
US 158.48.62.153:445 tcp
N/A 10.127.67.1:445 tcp
N/A 10.127.68.1:445 tcp
N/A 10.127.70.1:445 tcp
N/A 10.127.69.1:445 tcp
US 30.227.12.88:445 tcp
N/A 10.127.71.1:445 tcp
US 207.156.216.30:445 tcp
N/A 10.127.72.1:445 tcp
CN 171.114.41.58:445 tcp
N/A 10.127.74.1:445 tcp
US 132.110.164.237:445 tcp
N/A 10.127.75.1:445 tcp
N/A 10.127.78.1:445 tcp
US 4.246.97.165:445 tcp
N/A 10.127.80.1:445 tcp
US 169.20.189.236:445 tcp
N/A 10.127.81.1:445 tcp
N/A 10.127.73.1:445 tcp
N/A 10.127.76.1:445 tcp
N/A 10.127.77.1:445 tcp
N/A 10.127.79.1:445 tcp
N/A 10.127.82.1:445 tcp
N/A 10.127.83.1:445 tcp
N/A 10.127.84.1:445 tcp
N/A 10.127.85.1:445 tcp
N/A 10.127.86.1:445 tcp
N/A 10.127.87.1:445 tcp
US 63.123.121.2:445 tcp
CN 106.30.80.243:445 tcp
N/A 10.127.88.1:445 tcp
US 47.206.200.132:445 tcp
N/A 10.127.89.1:445 tcp
N/A 10.127.90.1:445 tcp
US 6.26.112.41:445 tcp
US 136.219.59.19:445 tcp
N/A 10.127.93.1:445 tcp
US 155.128.127.185:445 tcp
N/A 10.127.92.1:445 tcp
N/A 10.127.91.1:445 tcp
N/A 10.127.94.1:445 tcp
US 7.76.181.117:445 tcp
N/A 10.127.95.1:445 tcp
US 96.122.148.100:445 tcp
AU 103.190.186.103:445 tcp
N/A 10.127.100.1:445 tcp
N/A 10.127.97.1:445 tcp
N/A 10.127.98.1:445 tcp
N/A 10.127.96.1:445 tcp
CN 101.242.251.236:445 tcp
N/A 10.127.99.1:445 tcp
N/A 10.127.101.1:445 tcp
N/A 10.127.102.1:445 tcp
N/A 10.127.103.1:445 tcp
N/A 10.127.104.1:445 tcp
N/A 10.127.105.1:445 tcp
US 29.78.80.169:445 tcp
N/A 10.127.106.1:445 tcp
N/A 10.127.107.1:445 tcp
N/A 10.127.108.1:445 tcp
N/A 10.127.109.1:445 tcp
CN 27.128.8.249:445 tcp
KR 211.215.106.148:445 tcp
US 159.183.191.164:445 tcp
PL 88.156.119.162:445 tcp
N/A 10.127.112.1:445 tcp
US 140.218.39.131:445 tcp
N/A 10.127.114.1:445 tcp
N/A 10.127.110.1:445 tcp
N/A 10.127.113.1:445 tcp
CN 163.125.92.161:445 tcp
N/A 10.127.111.1:445 tcp
SE 176.68.187.87:445 tcp
N/A 10.127.115.1:445 tcp
N/A 10.127.117.1:445 tcp
N/A 10.127.120.1:445 tcp
US 130.30.88.231:445 tcp
US 198.37.253.106:445 tcp
N/A 10.127.119.1:445 tcp
N/A 10.127.118.1:445 tcp
ES 150.244.119.124:445 tcp
US 47.224.56.51:445 tcp
N/A 10.127.116.1:445 tcp
N/A 10.127.121.1:445 tcp
N/A 10.127.122.1:445 tcp
N/A 10.127.123.1:445 tcp
JP 133.100.191.192:445 tcp
N/A 10.127.124.1:445 tcp
N/A 10.127.125.1:445 tcp
N/A 10.127.126.1:445 tcp
N/A 10.127.127.1:445 tcp
US 21.184.185.115:445 tcp
N/A 10.127.128.1:445 tcp
N/A 10.127.129.1:445 tcp
KR 14.95.137.3:445 tcp
IT 131.114.96.250:445 tcp
AU 203.23.242.56:445 tcp
N/A 10.127.131.1:445 tcp
N/A 10.127.130.1:445 tcp
US 155.6.9.179:445 tcp
PL 5.184.153.162:445 tcp
N/A 10.127.134.1:445 tcp
N/A 100.98.205.215:445 tcp
N/A 10.127.137.1:445 tcp
N/A 10.127.132.1:445 tcp
TR 81.215.222.98:445 tcp
N/A 10.127.135.1:445 tcp
N/A 10.127.136.1:445 tcp
JP 147.157.41.129:445 tcp
US 26.82.101.227:445 tcp
N/A 10.127.138.1:445 tcp
N/A 10.127.133.1:445 tcp
US 215.119.27.227:445 tcp
US 40.129.34.113:445 tcp
N/A 10.127.139.1:445 tcp
N/A 10.127.140.1:445 tcp
N/A 10.127.141.1:445 tcp
N/A 10.127.142.1:445 tcp
N/A 10.127.143.1:445 tcp
JP 202.70.211.219:445 tcp
N/A 10.127.144.1:445 tcp
JP 126.159.47.41:445 tcp
N/A 10.127.145.1:445 tcp
N/A 10.127.146.1:445 tcp
US 51.10.222.115:445 tcp
N/A 10.127.147.1:445 tcp
US 63.102.253.240:445 tcp
N/A 10.127.150.1:445 tcp
N/A 10.127.151.1:445 tcp
N/A 10.127.149.1:445 tcp
US 56.3.181.42:445 tcp
GB 2.101.48.80:445 tcp
N/A 10.127.153.1:445 tcp
GB 193.113.17.242:445 tcp
ES 194.220.126.40:445 tcp
JP 126.138.162.111:445 tcp
N/A 10.127.148.1:445 tcp
N/A 10.127.152.1:445 tcp
DE 213.70.41.240:445 tcp
EG 154.143.174.113:445 tcp
N/A 10.127.157.1:445 tcp
N/A 10.127.154.1:445 tcp
N/A 10.127.158.1:445 tcp
N/A 10.127.155.1:445 tcp
US 100.34.169.103:445 tcp
GB 129.67.149.213:445 tcp
N/A 10.127.160.1:445 tcp
N/A 10.127.156.1:445 tcp
HU 79.120.208.154:445 tcp
N/A 10.127.159.1:445 tcp
JP 180.21.136.54:445 tcp
N/A 10.127.162.1:445 tcp
US 55.50.239.251:445 tcp
N/A 10.127.161.1:445 tcp
N/A 10.127.163.1:445 tcp
N/A 10.127.164.1:445 tcp
US 19.10.26.115:445 tcp
N/A 10.127.165.1:445 tcp
US 69.74.66.64:445 tcp
N/A 10.127.166.1:445 tcp
US 11.109.16.156:445 tcp
N/A 10.127.167.1:445 tcp
US 172.124.46.158:445 tcp
CA 104.204.111.219:445 tcp
JP 223.133.109.246:445 tcp
IQ 37.238.41.20:445 tcp
N/A 10.127.171.1:445 tcp
CN 218.78.131.50:445 tcp
N/A 10.127.170.1:445 tcp
N/A 10.127.169.1:445 tcp
N/A 10.127.168.1:445 tcp
KR 121.159.26.222:445 tcp
N/A 10.127.172.1:445 tcp
US 148.15.77.91:445 tcp
N/A 10.127.175.1:445 tcp
CN 43.190.159.156:445 tcp
US 3.85.179.17:445 tcp
N/A 10.127.174.1:445 tcp
N/A 10.127.173.1:445 tcp
N/A 10.127.177.1:445 tcp
AU 203.0.190.244:445 tcp
US 3.214.221.221:445 tcp
N/A 10.127.181.1:445 tcp
N/A 10.127.176.1:445 tcp
N/A 10.127.180.1:445 tcp
N/A 10.127.179.1:445 tcp
US 207.15.24.96:445 tcp
US 128.82.27.208:445 tcp
N/A 10.127.178.1:445 tcp
N/A 10.127.184.1:445 tcp
US 109.246.177.11:445 tcp
N/A 10.127.182.1:445 tcp
US 96.130.96.89:445 tcp
N/A 10.127.186.1:445 tcp
N/A 10.127.183.1:445 tcp
N/A 10.127.185.1:445 tcp
US 67.164.74.33:445 tcp
CN 222.45.154.41:445 tcp
N/A 10.127.187.1:445 tcp
US 26.80.97.184:445 tcp
CN 82.156.196.34:445 tcp
GB 104.103.248.253:445 tcp
US 73.212.109.51:445 tcp
N/A 10.127.190.1:445 tcp
US 32.110.30.157:445 tcp
FR 185.116.104.13:445 tcp
N/A 10.127.188.1:445 tcp
N/A 10.127.194.1:445 tcp
N/A 10.127.189.1:445 tcp
N/A 10.127.195.1:445 tcp
N/A 100.120.177.40:445 tcp
N/A 10.127.193.1:445 tcp
JP 153.212.67.218:445 tcp
N/A 10.127.192.1:445 tcp
US 208.3.233.46:445 tcp
US 99.50.61.235:445 tcp
N/A 10.127.191.1:445 tcp
N/A 10.127.197.1:445 tcp
CN 14.221.84.37:445 tcp
US 66.13.71.229:445 tcp
ES 81.34.63.39:445 tcp
N/A 10.127.199.1:445 tcp
N/A 10.127.196.1:445 tcp
BR 191.187.209.31:445 tcp
N/A 10.127.202.1:445 tcp
N/A 10.127.198.1:445 tcp
N/A 10.127.201.1:445 tcp
IL 87.71.62.117:445 tcp
US 50.149.29.155:445 tcp
N/A 10.127.200.1:445 tcp
N/A 10.127.203.1:445 tcp
N/A 10.127.204.1:445 tcp
N/A 10.127.205.1:445 tcp
N/A 10.127.206.1:445 tcp
N/A 10.127.207.1:445 tcp
CN 180.157.80.121:445 tcp
N/A 10.127.208.1:445 tcp
US 173.222.61.18:445 tcp
SE 138.106.179.76:445 tcp
US 215.206.160.105:445 tcp
CN 124.163.243.16:445 tcp
US 19.207.47.41:445 tcp
US 13.47.121.169:445 tcp
AU 150.203.147.90:445 tcp
N/A 10.127.211.1:445 tcp
JP 133.22.149.176:445 tcp
N/A 10.127.213.1:445 tcp
US 55.81.58.186:445 tcp
N/A 10.127.210.1:445 tcp
CN 219.239.47.25:445 tcp
N/A 10.127.209.1:445 tcp
US 107.124.85.121:445 tcp
EG 154.128.182.8:445 tcp
N/A 10.127.212.1:445 tcp
N/A 10.127.217.1:445 tcp
US 40.86.47.144:445 tcp
N/A 10.127.215.1:445 tcp
CG 160.113.19.174:445 tcp
N/A 10.127.214.1:445 tcp
N/A 10.127.220.1:445 tcp
N/A 10.127.221.1:445 tcp
US 3.101.195.56:445 tcp
CN 112.129.213.252:445 tcp
AR 200.117.94.173:445 tcp
N/A 10.127.216.1:445 tcp
N/A 10.127.219.1:445 tcp
SA 46.240.95.102:445 tcp
US 4.74.178.17:445 tcp
N/A 10.127.218.1:445 tcp
N/A 10.127.225.1:445 tcp
N/A 10.127.222.1:445 tcp
N/A 10.127.223.1:445 tcp
N/A 10.127.224.1:445 tcp
N/A 10.127.226.1:445 tcp
CN 222.61.115.148:445 tcp
N/A 10.127.227.1:445 tcp
CN 202.96.88.69:445 tcp
TR 176.89.166.124:445 tcp
US 170.189.90.137:445 tcp
N/A 10.127.231.1:445 tcp
JP 133.142.142.63:445 tcp
MX 187.228.54.77:445 tcp
KR 74.227.117.153:445 tcp
US 12.191.147.232:445 tcp
N/A 10.127.228.1:445 tcp
CA 209.225.179.13:445 tcp
N/A 10.127.233.1:445 tcp
N/A 10.127.229.1:445 tcp
MX 148.223.177.101:445 tcp
US 157.54.151.110:445 tcp
N/A 10.127.230.1:445 tcp
N/A 10.127.235.1:445 tcp
US 26.11.163.59:445 tcp
US 129.117.161.216:445 tcp
N/A 10.127.238.1:445 tcp
US 69.183.250.108:445 tcp
IT 81.121.221.150:445 tcp
N/A 10.127.232.1:445 tcp
N/A 10.127.240.1:445 tcp
US 75.54.150.107:445 tcp
N/A 10.127.234.1:445 tcp
N/A 10.127.236.1:445 tcp
US 199.161.223.114:445 tcp
BG 151.237.88.236:445 tcp
DE 151.176.146.88:445 tcp
N/A 10.127.239.1:445 tcp
N/A 10.127.237.1:445 tcp
US 170.202.141.107:445 tcp
JP 210.157.153.30:445 tcp
N/A 10.127.243.1:445 tcp
US 151.208.170.36:445 tcp
N/A 10.127.241.1:445 tcp
N/A 10.127.242.1:445 tcp
N/A 10.127.244.1:445 tcp
N/A 10.127.245.1:445 tcp
US 209.237.28.191:445 tcp
N/A 10.127.246.1:445 tcp
US 99.129.224.118:445 tcp
US 169.245.166.45:445 tcp
N/A 10.127.247.1:445 tcp
NZ 103.96.85.27:445 tcp
N/A 10.127.249.1:445 tcp
US 71.210.250.133:445 tcp
JP 180.38.173.28:445 tcp
US 97.135.36.55:445 tcp
US 130.40.87.49:445 tcp
JP 126.200.84.197:445 tcp
N/A 10.127.248.1:445 tcp
N/A 10.127.252.1:445 tcp
US 40.45.20.169:445 tcp
N/A 10.127.253.1:445 tcp
BR 177.187.12.103:445 tcp
N/A 10.127.251.1:445 tcp
US 167.220.2.43:445 tcp
N/A 10.127.250.1:445 tcp
IT 2.113.178.14:445 tcp
N/A 10.127.254.1:445 tcp
AU 49.198.49.16:445 tcp
US 164.200.235.72:445 tcp
N/A 10.127.255.1:445 tcp
SA 90.148.126.82:445 tcp
CN 114.111.188.62:445 tcp
N/A 10.127.4.2:445 tcp
CN 139.219.55.101:445 tcp
N/A 10.127.3.2:445 tcp
CN 117.156.55.182:445 tcp
N/A 10.127.2.2:445 tcp
US 131.29.233.15:445 tcp
CN 121.194.106.105:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.7.2:445 tcp
N/A 10.80.21.91:445 tcp
JP 153.139.143.149:445 tcp
N/A 10.127.1.2:445 tcp
CN 222.193.86.78:445 tcp
N/A 10.127.5.2:445 tcp
N/A 10.127.6.2:445 tcp
N/A 10.127.8.2:445 tcp
N/A 10.127.9.2:445 tcp
N/A 2.37.14.150:445 tcp
N/A 10.127.10.2:445 tcp
N/A 221.152.144.195:445 tcp
N/A 90.187.93.173:445 tcp
N/A 10.127.11.2:445 tcp
N/A 191.193.178.55:445 tcp
N/A 10.127.12.2:445 tcp
N/A 185.39.31.119:445 tcp
N/A 10.127.13.2:445 tcp
N/A 10.127.14.2:445 tcp
N/A 90.166.228.245:445 tcp
N/A 10.127.15.2:445 tcp
N/A 151.34.1.86:445 tcp
N/A 125.132.90.49:445 tcp

Files

C:\Windows\mssecsvc.exe

MD5 90a1e06d78737b9a87e8ea42f76e2544
SHA1 785ddf8bd3add2da415cbc7c39aab7eb21407d20
SHA256 e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7
SHA512 40ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be

C:\Windows\tasksche.exe

MD5 0df2ae526d7350c2e3d1383c07a6be04
SHA1 06c4d41c60736ea1e0bb1b095536499e05068442
SHA256 10111f53da4181d548ea77cc91f02a15b9ede3f111f074230761f2afee7cd637
SHA512 9ca1ca36dcefdb1eba3152bc2d14c9dceb3360960338d13db5f8a02327aef80cb0ab238c2c1f3d2dbd7fd75124d4199b5cd63f173a09a0dea212ebb265f8453d