9564ad75050c2f32ec10e7a9a52155a6e1848736fd2d1f6e40ca72e9dc066d94

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Size

70KB
MD5

b420a40d149a87c27db9706b84e78f7e
SHA1

606963e0078eee97dd41c68cace60c6e9c1fdf18
SHA256

9564ad75050c2f32ec10e7a9a52155a6e1848736fd2d1f6e40ca72e9dc066d94
SHA512

541694fd8dd2cfc1e8bdea90f2e21f2e0b72d978e628e2e2ce594db2c048f6b4b20fe4cfb23c85e83c6c2795a159dcb38366d1f39df3e96bf864c3b91a71b758
SSDEEP

1536:uZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Nd5BJHMqqDL2/Ovvdr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\I:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\I:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3016	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3016	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3016	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3344	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3344	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3344	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3344	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4004	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4004	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4004	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4004	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4108	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4108	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4108	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4108	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4012	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4012	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4012	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4012	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1264	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1264	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1264	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1264	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5352	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5352	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5352	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5352	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
624	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
624	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
624	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
624	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
544	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
544	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
544	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
544	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2160	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2160	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2160	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2160	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3416	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3416	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3416	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3416	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1464	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1464	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1464	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1464	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2608	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2608	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2608	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
2608	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3880	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3880	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3880	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
3880	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5324	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5324	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5324	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
5324	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4408	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4408	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4408	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
4408	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3344	2852	cmd.exe	91
PID 2852 wrote to memory of 3344	2852	cmd.exe	91
PID 2852 wrote to memory of 3344	2852	cmd.exe	91
PID 3848 wrote to memory of 4004	3848	cmd.exe	98
PID 3848 wrote to memory of 4004	3848	cmd.exe	98
PID 3848 wrote to memory of 4004	3848	cmd.exe	98
PID 3388 wrote to memory of 4108	3388	cmd.exe	104
PID 3388 wrote to memory of 4108	3388	cmd.exe	104
PID 3388 wrote to memory of 4108	3388	cmd.exe	104
PID 3932 wrote to memory of 4012	3932	cmd.exe	107
PID 3932 wrote to memory of 4012	3932	cmd.exe	107
PID 3932 wrote to memory of 4012	3932	cmd.exe	107
PID 5172 wrote to memory of 1264	5172	cmd.exe	110
PID 5172 wrote to memory of 1264	5172	cmd.exe	110
PID 5172 wrote to memory of 1264	5172	cmd.exe	110
PID 3236 wrote to memory of 5352	3236	cmd.exe	114
PID 3236 wrote to memory of 5352	3236	cmd.exe	114
PID 3236 wrote to memory of 5352	3236	cmd.exe	114
PID 1836 wrote to memory of 624	1836	cmd.exe	117
PID 1836 wrote to memory of 624	1836	cmd.exe	117
PID 1836 wrote to memory of 624	1836	cmd.exe	117
PID 4672 wrote to memory of 544	4672	cmd.exe	122
PID 4672 wrote to memory of 544	4672	cmd.exe	122
PID 4672 wrote to memory of 544	4672	cmd.exe	122
PID 924 wrote to memory of 2160	924	cmd.exe	125
PID 924 wrote to memory of 2160	924	cmd.exe	125
PID 924 wrote to memory of 2160	924	cmd.exe	125
PID 5456 wrote to memory of 3416	5456	cmd.exe	128
PID 5456 wrote to memory of 3416	5456	cmd.exe	128
PID 5456 wrote to memory of 3416	5456	cmd.exe	128
PID 6116 wrote to memory of 1464	6116	cmd.exe	131
PID 6116 wrote to memory of 1464	6116	cmd.exe	131
PID 6116 wrote to memory of 1464	6116	cmd.exe	131
PID 4516 wrote to memory of 2608	4516	cmd.exe	134
PID 4516 wrote to memory of 2608	4516	cmd.exe	134
PID 4516 wrote to memory of 2608	4516	cmd.exe	134
PID 1520 wrote to memory of 3880	1520	cmd.exe	137
PID 1520 wrote to memory of 3880	1520	cmd.exe	137
PID 1520 wrote to memory of 3880	1520	cmd.exe	137
PID 2432 wrote to memory of 5324	2432	cmd.exe	140
PID 2432 wrote to memory of 5324	2432	cmd.exe	140
PID 2432 wrote to memory of 5324	2432	cmd.exe	140
PID 2308 wrote to memory of 4408	2308	cmd.exe	143
PID 2308 wrote to memory of 4408	2308	cmd.exe	143
PID 2308 wrote to memory of 4408	2308	cmd.exe	143
PID 1052 wrote to memory of 5928	1052	cmd.exe	146
PID 1052 wrote to memory of 5928	1052	cmd.exe	146
PID 1052 wrote to memory of 5928	1052	cmd.exe	146
PID 1892 wrote to memory of 5044	1892	cmd.exe	149
PID 1892 wrote to memory of 5044	1892	cmd.exe	149
PID 1892 wrote to memory of 5044	1892	cmd.exe	149
PID 3976 wrote to memory of 4264	3976	cmd.exe	152
PID 3976 wrote to memory of 4264	3976	cmd.exe	152
PID 3976 wrote to memory of 4264	3976	cmd.exe	152
PID 2896 wrote to memory of 3348	2896	cmd.exe	155
PID 2896 wrote to memory of 3348	2896	cmd.exe	155
PID 2896 wrote to memory of 3348	2896	cmd.exe	155
PID 5252 wrote to memory of 2628	5252	cmd.exe	158
PID 5252 wrote to memory of 2628	5252	cmd.exe	158
PID 5252 wrote to memory of 2628	5252	cmd.exe	158
PID 2380 wrote to memory of 3968	2380	cmd.exe	161
PID 2380 wrote to memory of 3968	2380	cmd.exe	161
PID 2380 wrote to memory of 3968	2380	cmd.exe	161
PID 3848 wrote to memory of 2960	3848	cmd.exe	164

C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5456
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5252
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4128
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5548
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5580
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3352
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:620
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1060
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:348
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3716
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1604
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\btzjidmfsmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mpgfdkgrnfa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pnnbpdubgvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbaczzwswqo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\epvufhgiiiy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\maskkxjpaei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fotiakosxtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qofzzqrchoh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cgwdalnjqla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhfbimogsgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pyamwklryjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yidldultxgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jzqsalqgchc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jkbleuxqgcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kxblwfucxpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ounqibsnbpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xowscvdoemc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nrjqvlwrzpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngxpoyttbkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\trvboqstdpy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fmgtzpxotap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjokvrxtahc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gmkvvmgogei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rkuubzxpijn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\undulwhglor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdenuhahkdc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\molxtacggpf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rhxeozkygvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqcnccpxfvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\djikydmrjvv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lutprpnwapp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugcfsvfuhsl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\osdcclipjmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eilfkgecnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oppmmksaycd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\goayvvzsdaw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uktdzedxoye = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ppivnacaruk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\feqnlrgtful = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmbrhkdrnhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hdbkltcjdmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ijwayxuunyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavsotremfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abpeeoruvkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tpsnusigrtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xaxfacziclt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivyssuofxnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\klsldmnfyhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rjnnvwffyae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdrhwezjecl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\devmrpfxira = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hfwudwfwxpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pgoifhzxomt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsrlgpkosqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lddzpqpjjju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ldsjmumeovc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ffismsiulio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfiijoenizi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrqouqdfudn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jvjtdyijdkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yblsbrsbbte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twunrokxlnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akgydcaifds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mhplkdpbnif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe"	2025-04-09_b420a40d149a87c27db9706b84e78f7e_gandcrab.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads