Recently watched a short documentary on wannacry and Marcus Hutchins. When he ran its code in quarantine, he noticed it was querying a url. He then noticed the domain wasn’t registered, and did so himself, thereby sinkholing traffic destined for the c&c server. My question is, if the domain wasn’t registered to begin with, how was the traffic from infected devices reaching the c&c servers? Was the virus also locally modifying the hosts file?