4943238834a3659d2da31c0420bbbc4427f850bc637874a688d7d6445c566bfc

Analysis

max time kernel
104s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Size

70KB
MD5

e03d1a7ac69135c69cdada0e87daff8e
SHA1

7f672668be2a69900080ab8f804ad71d11c9c33f
SHA256

4943238834a3659d2da31c0420bbbc4427f850bc637874a688d7d6445c566bfc
SHA512

8f34d80c23cc1f5d6c23e51370f375b7afb119401a57af3fdb8f9015df58517795d2260a53cddce8e96d606b37be60d373de2b75170a2b950aac3f1223042a23
SSDEEP

1536:LZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Kd5BJHMqqDL2/Ovvdr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\I:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5388	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5388	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5388	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5388	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4888	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4888	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4888	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4888	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4780	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4780	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4780	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4780	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
968	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
968	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
968	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
968	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3304	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3304	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3304	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3304	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4820	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4820	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4820	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4820	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5576	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5576	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5576	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5576	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1840	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1840	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1840	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1840	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5568	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5568	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5568	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5568	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3976	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3976	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3976	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3976	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4124	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4124	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4124	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4124	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5488	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5488	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5488	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5488	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1796	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1796	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1796	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1796	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4236	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4236	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4236	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4236	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2020	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2020	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2020	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2020	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2904	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2904	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2904	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2904	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5188 wrote to memory of 4888	5188	cmd.exe	91
PID 5188 wrote to memory of 4888	5188	cmd.exe	91
PID 5188 wrote to memory of 4888	5188	cmd.exe	91
PID 4660 wrote to memory of 4780	4660	cmd.exe	94
PID 4660 wrote to memory of 4780	4660	cmd.exe	94
PID 4660 wrote to memory of 4780	4660	cmd.exe	94
PID 1152 wrote to memory of 968	1152	cmd.exe	99
PID 1152 wrote to memory of 968	1152	cmd.exe	99
PID 1152 wrote to memory of 968	1152	cmd.exe	99
PID 5912 wrote to memory of 3304	5912	cmd.exe	104
PID 5912 wrote to memory of 3304	5912	cmd.exe	104
PID 5912 wrote to memory of 3304	5912	cmd.exe	104
PID 1700 wrote to memory of 4820	1700	cmd.exe	107
PID 1700 wrote to memory of 4820	1700	cmd.exe	107
PID 1700 wrote to memory of 4820	1700	cmd.exe	107
PID 5372 wrote to memory of 5576	5372	cmd.exe	111
PID 5372 wrote to memory of 5576	5372	cmd.exe	111
PID 5372 wrote to memory of 5576	5372	cmd.exe	111
PID 1552 wrote to memory of 1840	1552	cmd.exe	114
PID 1552 wrote to memory of 1840	1552	cmd.exe	114
PID 1552 wrote to memory of 1840	1552	cmd.exe	114
PID 6056 wrote to memory of 5568	6056	cmd.exe	117
PID 6056 wrote to memory of 5568	6056	cmd.exe	117
PID 6056 wrote to memory of 5568	6056	cmd.exe	117
PID 1088 wrote to memory of 3976	1088	cmd.exe	122
PID 1088 wrote to memory of 3976	1088	cmd.exe	122
PID 1088 wrote to memory of 3976	1088	cmd.exe	122
PID 2028 wrote to memory of 4124	2028	cmd.exe	125
PID 2028 wrote to memory of 4124	2028	cmd.exe	125
PID 2028 wrote to memory of 4124	2028	cmd.exe	125
PID 5632 wrote to memory of 5488	5632	cmd.exe	128
PID 5632 wrote to memory of 5488	5632	cmd.exe	128
PID 5632 wrote to memory of 5488	5632	cmd.exe	128
PID 1632 wrote to memory of 1796	1632	cmd.exe	131
PID 1632 wrote to memory of 1796	1632	cmd.exe	131
PID 1632 wrote to memory of 1796	1632	cmd.exe	131
PID 2580 wrote to memory of 4236	2580	cmd.exe	134
PID 2580 wrote to memory of 4236	2580	cmd.exe	134
PID 2580 wrote to memory of 4236	2580	cmd.exe	134
PID 3324 wrote to memory of 2020	3324	cmd.exe	137
PID 3324 wrote to memory of 2020	3324	cmd.exe	137
PID 3324 wrote to memory of 2020	3324	cmd.exe	137
PID 3896 wrote to memory of 2904	3896	cmd.exe	140
PID 3896 wrote to memory of 2904	3896	cmd.exe	140
PID 3896 wrote to memory of 2904	3896	cmd.exe	140
PID 5820 wrote to memory of 3984	5820	cmd.exe	143
PID 5820 wrote to memory of 3984	5820	cmd.exe	143
PID 5820 wrote to memory of 3984	5820	cmd.exe	143
PID 4648 wrote to memory of 5484	4648	cmd.exe	146
PID 4648 wrote to memory of 5484	4648	cmd.exe	146
PID 4648 wrote to memory of 5484	4648	cmd.exe	146
PID 3744 wrote to memory of 5196	3744	cmd.exe	149
PID 3744 wrote to memory of 5196	3744	cmd.exe	149
PID 3744 wrote to memory of 5196	3744	cmd.exe	149
PID 748 wrote to memory of 4932	748	cmd.exe	152
PID 748 wrote to memory of 4932	748	cmd.exe	152
PID 748 wrote to memory of 4932	748	cmd.exe	152
PID 4668 wrote to memory of 1044	4668	cmd.exe	155
PID 4668 wrote to memory of 1044	4668	cmd.exe	155
PID 4668 wrote to memory of 1044	4668	cmd.exe	155
PID 4788 wrote to memory of 4656	4788	cmd.exe	158
PID 4788 wrote to memory of 4656	4788	cmd.exe	158
PID 4788 wrote to memory of 4656	4788	cmd.exe	158
PID 4068 wrote to memory of 4484	4068	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5188
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5912
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6056
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5820
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4156
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1668
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1496
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1652
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:516
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4140
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1088

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\exygxhmafnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfznqwielus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fmasjytdotb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bciqsduayuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\htizokfwlxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gexotmkhkzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\srlojexlmxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmfwhbzuue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mniykrucabl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qumlekzvsrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jniulylvyva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nswwinwrrto = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mkdvkdiabnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mamvpifezud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nayajcteidj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ovdbjrotnnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrtoeaxembe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kxqejiihrpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsqtqgwlzkf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwiluvehitz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ijluiaaadfy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdixxzfnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrueglltnhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\crzhmorvcsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lceoqwttxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vmiytmckmfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pvllsjjrkuw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wremlqwwreg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zzrfcgisfkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xtbrzokvnft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rnumlelxzbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjvncvdtrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kmcpdziegvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gptagdgfbbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfguixigumz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dqfhelttbsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oockyqufjnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zxlxfmxrbzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aomhsoanzuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjmjfirgizp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\saadyokzhmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xinvzugiaxe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fwypxwsbtth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\icjoassudvw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdtzdkqialq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hyjpedxqrik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yvqrhagguzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oshfevggupz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uxynyjbyrot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ynicqqzovfz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ratbmfkbiub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nssesexdbpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zmymrrkadma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lhcksllbxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvsbjllfma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wqyiefrrcsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\clogyeortzr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bybpnlpzokg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfxlohimlmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nywajdhprcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ijjwwvatgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cnjjdhshcof = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irpfgactfze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbaqpkyedng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads