Malware Analysis Report

2025-08-05 15:19

Sample ID 221011-eh545sdeb4
Target eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7
SHA256 eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7
Tags
wannacry ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7

Threat Level: Known bad

The file eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7 was found to be: Known bad.

Malicious Activity Summary

wannacry ransomware worm

Wannacry

Drops file in System32 directory

Drops file in Windows directory

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-10-11 03:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 03:57

Reported

2022-10-11 04:00

Platform

win7-20220812-en

Max time kernel

151s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

Signatures

Wannacry

ransomware worm wannacry

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ADKEUKXD.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0RAHLROR.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ADKEUKXD.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0RAHLROR.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\59084HUA.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\59084HUA.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 676 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 676 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 676 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 676 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 756

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 752

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 752

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp

Files

memory/1308-54-0x0000000075661000-0x0000000075663000-memory.dmp

memory/1028-56-0x0000000000000000-mapping.dmp

memory/1220-58-0x0000000000000000-mapping.dmp

memory/700-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 03:57

Reported

2022-10-11 04:00

Platform

win10v2004-20220901-en

Max time kernel

145s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

Signatures

Wannacry

ransomware worm wannacry

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1088

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1088

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1104

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 13.248.148.254:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 13.248.148.254:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 52.109.13.64:443 tcp
US 20.42.73.24:443 tcp
FR 2.18.109.224:443 tcp
NL 87.248.202.1:80 tcp
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 13.248.148.254:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp

Files

N/A