Malware Analysis Report

2025-08-05 15:25

Sample ID 221011-ejhp8sdgbn
Target eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe
SHA256 eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7
Tags
wannacry ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7

Threat Level: Known bad

The file eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe was found to be: Known bad.

Malicious Activity Summary

wannacry ransomware worm

Wannacry

Drops file in System32 directory

Drops file in Windows directory

Program crash

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-10-11 03:58

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 03:58

Reported

2022-10-11 04:01

Platform

win10v2004-20220812-en

Max time kernel

125s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

Signatures

Wannacry

ransomware worm wannacry

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1080

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1108

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 20.189.173.10:443 tcp
US 13.248.148.254:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 209.197.3.8:80 tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 13.248.148.254:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 03:58

Reported

2022-10-11 04:01

Platform

win7-20220812-en

Max time kernel

138s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

Signatures

Wannacry

ransomware worm wannacry

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KWM98LNQ.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KWM98LNQ.txt C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecisionTime = 2038dfa236ddd801 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadNetworkName = "Network 2" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\a2-a7-2d-2f-50-a6 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecisionTime = 2038dfa236ddd801 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1} C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\a2-a7-2d-2f-50-a6 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDetectedUrl C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1} C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadNetworkName = "Network 2" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecisionTime = 20a7d3d536ddd801 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecisionTime = 2038dfa236ddd801 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-a7-2d-2f-50-a6\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D831DAB2-9806-4224-BB11-1E29A00603E1}\WpadDecisionTime = 20a7d3d536ddd801 C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

"C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 568

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
NL 13.227.211.17:80 tcp
NL 13.227.211.17:80 tcp
NL 216.58.208.100:80 tcp
NL 142.250.179.194:443 tcp
NL 142.250.179.194:443 tcp
NL 13.227.211.17:80 tcp
NL 216.58.214.2:443 tcp
NL 216.58.214.2:443 tcp
NL 142.251.39.97:443 tcp
NL 142.251.39.97:443 tcp
NL 216.58.208.100:80 tcp
NL 142.250.179.200:443 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.162:443 tcp
NL 142.250.179.131:443 tcp
NL 142.250.179.131:443 tcp
NL 142.251.36.6:443 tcp
NL 142.250.179.214:443 tcp
NL 142.251.36.1:443 tcp
NL 142.251.36.35:80 tcp
NL 142.251.36.35:80 tcp
US 142.250.102.155:443 tcp
US 142.250.102.155:443 tcp
NL 216.58.208.100:443 tcp
NL 142.251.36.35:80 tcp
NL 142.251.36.35:80 tcp
NL 142.251.36.3:443 tcp
AU 103.224.212.220:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
NL 142.250.179.200:443 tcp
US 8.8.8.8:53 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 76.223.26.96:80 ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
NL 142.251.36.46:443 tcp
NL 172.217.168.206:443 tcp
NL 142.251.36.46:443 tcp
NL 172.217.168.206:443 tcp
NL 142.251.36.46:443 tcp
NL 172.217.168.206:443 tcp
NL 172.217.168.206:443 tcp
NL 142.251.36.6:443 tcp
NL 142.250.179.162:443 tcp
NL 142.250.179.214:443 tcp
NL 142.251.36.1:443 tcp
NL 142.251.39.106:443 tcp
NL 142.251.36.46:443 tcp

Files

memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

memory/784-56-0x0000000000000000-mapping.dmp

memory/1068-58-0x0000000000000000-mapping.dmp