4943238834a3659d2da31c0420bbbc4427f850bc637874a688d7d6445c566bfc

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Size

70KB
MD5

e03d1a7ac69135c69cdada0e87daff8e
SHA1

7f672668be2a69900080ab8f804ad71d11c9c33f
SHA256

4943238834a3659d2da31c0420bbbc4427f850bc637874a688d7d6445c566bfc
SHA512

8f34d80c23cc1f5d6c23e51370f375b7afb119401a57af3fdb8f9015df58517795d2260a53cddce8e96d606b37be60d373de2b75170a2b950aac3f1223042a23
SSDEEP

1536:LZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Kd5BJHMqqDL2/Ovvdr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5084	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5084	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5084	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5084	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1756	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1756	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1756	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1756	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5004	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5004	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5004	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5004	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4268	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4268	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4268	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4268	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
544	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
544	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
544	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
544	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3736	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3736	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3736	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3736	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1376	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1376	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1376	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1376	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5680	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5680	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5680	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5680	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2352	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2352	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2352	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
2352	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
6000	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
6000	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
6000	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
6000	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3536	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3536	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3536	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
3536	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4368	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4368	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4368	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
4368	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1740	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1740	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1740	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1740	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5800	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5800	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5800	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
5800	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
552	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3552	3532	cmd.exe	91
PID 3532 wrote to memory of 3552	3532	cmd.exe	91
PID 3532 wrote to memory of 3552	3532	cmd.exe	91
PID 4700 wrote to memory of 1756	4700	cmd.exe	95
PID 4700 wrote to memory of 1756	4700	cmd.exe	95
PID 4700 wrote to memory of 1756	4700	cmd.exe	95
PID 5020 wrote to memory of 5004	5020	cmd.exe	100
PID 5020 wrote to memory of 5004	5020	cmd.exe	100
PID 5020 wrote to memory of 5004	5020	cmd.exe	100
PID 4712 wrote to memory of 4268	4712	cmd.exe	105
PID 4712 wrote to memory of 4268	4712	cmd.exe	105
PID 4712 wrote to memory of 4268	4712	cmd.exe	105
PID 1344 wrote to memory of 544	1344	cmd.exe	108
PID 1344 wrote to memory of 544	1344	cmd.exe	108
PID 1344 wrote to memory of 544	1344	cmd.exe	108
PID 3680 wrote to memory of 3736	3680	cmd.exe	112
PID 3680 wrote to memory of 3736	3680	cmd.exe	112
PID 3680 wrote to memory of 3736	3680	cmd.exe	112
PID 1552 wrote to memory of 1376	1552	cmd.exe	115
PID 1552 wrote to memory of 1376	1552	cmd.exe	115
PID 1552 wrote to memory of 1376	1552	cmd.exe	115
PID 2016 wrote to memory of 5680	2016	cmd.exe	118
PID 2016 wrote to memory of 5680	2016	cmd.exe	118
PID 2016 wrote to memory of 5680	2016	cmd.exe	118
PID 4492 wrote to memory of 2352	4492	cmd.exe	123
PID 4492 wrote to memory of 2352	4492	cmd.exe	123
PID 4492 wrote to memory of 2352	4492	cmd.exe	123
PID 5480 wrote to memory of 6000	5480	cmd.exe	126
PID 5480 wrote to memory of 6000	5480	cmd.exe	126
PID 5480 wrote to memory of 6000	5480	cmd.exe	126
PID 4428 wrote to memory of 3536	4428	cmd.exe	129
PID 4428 wrote to memory of 3536	4428	cmd.exe	129
PID 4428 wrote to memory of 3536	4428	cmd.exe	129
PID 1824 wrote to memory of 4368	1824	cmd.exe	132
PID 1824 wrote to memory of 4368	1824	cmd.exe	132
PID 1824 wrote to memory of 4368	1824	cmd.exe	132
PID 2584 wrote to memory of 1740	2584	cmd.exe	135
PID 2584 wrote to memory of 1740	2584	cmd.exe	135
PID 2584 wrote to memory of 1740	2584	cmd.exe	135
PID 5268 wrote to memory of 5800	5268	cmd.exe	138
PID 5268 wrote to memory of 5800	5268	cmd.exe	138
PID 5268 wrote to memory of 5800	5268	cmd.exe	138
PID 4468 wrote to memory of 552	4468	cmd.exe	141
PID 4468 wrote to memory of 552	4468	cmd.exe	141
PID 4468 wrote to memory of 552	4468	cmd.exe	141
PID 2112 wrote to memory of 2508	2112	cmd.exe	144
PID 2112 wrote to memory of 2508	2112	cmd.exe	144
PID 2112 wrote to memory of 2508	2112	cmd.exe	144
PID 856 wrote to memory of 3336	856	cmd.exe	147
PID 856 wrote to memory of 3336	856	cmd.exe	147
PID 856 wrote to memory of 3336	856	cmd.exe	147
PID 4780 wrote to memory of 3568	4780	cmd.exe	150
PID 4780 wrote to memory of 3568	4780	cmd.exe	150
PID 4780 wrote to memory of 3568	4780	cmd.exe	150
PID 4800 wrote to memory of 4944	4800	cmd.exe	153
PID 4800 wrote to memory of 4944	4800	cmd.exe	153
PID 4800 wrote to memory of 4944	4800	cmd.exe	153
PID 5412 wrote to memory of 3588	5412	cmd.exe	156
PID 5412 wrote to memory of 3588	5412	cmd.exe	156
PID 5412 wrote to memory of 3588	5412	cmd.exe	156
PID 6060 wrote to memory of 3616	6060	cmd.exe	159
PID 6060 wrote to memory of 3616	6060	cmd.exe	159
PID 6060 wrote to memory of 3616	6060	cmd.exe	159
PID 4660 wrote to memory of 4728	4660	cmd.exe	162

C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5480
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5268
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5412
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6060
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2588
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2496
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5224
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:5592
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4880

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpaaafbivs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zlseixsyffa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzxrqujrsjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bihydvcjlgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uyabbpqbimn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dpehzucssbt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\txxslrcxdpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfbawzmzvwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxfpchmmddi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykvitjeqitr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\runqscertpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\khucdhtlknu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tmrarbcxtgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ylhfumdzurl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xouoecvpbem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rshabgfqufl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnrpyrygzwx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wyaxncumlhv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\awkzojcncft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\znzfckfruvx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ffzihfnlizd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gzrktxizrdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqtlrvppvqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfiforpmpy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tkwkhjutusl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipevdutpujd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xpncchilbyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hloacmqaava = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sqdmuxdjshz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hhlfrnxyber = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\azqpoihsaba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\grtazhifbzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfzivwoutvm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iirdeortirt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryzbzyjpzce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztwhcbahyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etmsfsefjon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kdxhwexexkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kvpiyflzdat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pvxhjngdaex = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbtlanadvmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bersznbebrh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzkrqdnoelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ocrjkyouffs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gucsexwyidi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lwwiutdaeqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oaueghwhnll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jazddsdeijq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tswgqzqkczk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sgnmqkpmumb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jldihbublry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ocohqnqbtlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xnareemcdpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bzzmplkipms = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tpxtkkgzhph = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gttsmytejcv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fmnutajqobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rpfwpuymvqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nimjhbffggb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbsgzquutzj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jspgexrasvx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nkyyxtpaoxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afinymdkaqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tmzlhltlfpi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe"	2025-04-09_e03d1a7ac69135c69cdada0e87daff8e_gandcrab.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads