ac180766d0bf48d0c8e9423f606d3a587f0ac570a1b9c5c2d4bf966d39fb6840

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Size

70KB
MD5

fda0bb9e0800968ae8ddc387b47a2644
SHA1

6f2ba4f2f635cba1bae5fa0eda28cd08915d68f1
SHA256

ac180766d0bf48d0c8e9423f606d3a587f0ac570a1b9c5c2d4bf966d39fb6840
SHA512

7d1dce251244c1c6f245e5d5e433db7bd5a2007dd1b1b04585f25117fac10b9fe5a083a87510827e547c4cc5f79c967f4fb9adbed53fd23eadc78d78b05ee1fd
SSDEEP

1536:yZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:5d5BJHMqqDL2/Ovvdr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Q:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Z:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\X:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\E:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\V:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\I:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\A:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\M:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\K:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\T:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\W:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\S:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\H:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\O:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\U:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\B:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\R:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\J:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\G:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\L:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\N:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\P:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
File opened (read-only)	\??\Y:	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3652	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3652	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3652	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4448	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4448	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4448	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4448	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4148	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4148	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4148	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4148	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5300	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5300	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5300	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5300	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3004	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3004	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3004	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3004	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1304	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1304	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1304	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1304	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4900	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4900	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4900	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
4900	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2456	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2456	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2456	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2456	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5820	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5820	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5820	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
5820	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
440	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
440	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
440	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
440	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3612	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3612	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3612	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3612	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2244	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2244	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2244	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
2244	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1680	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1680	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1680	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1680	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3444	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3444	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3444	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3444	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3756	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3756	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3756	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
3756	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
864	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
864	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
864	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
864	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4448	4708	cmd.exe	90
PID 4708 wrote to memory of 4448	4708	cmd.exe	90
PID 4708 wrote to memory of 4448	4708	cmd.exe	90
PID 4584 wrote to memory of 4148	4584	cmd.exe	94
PID 4584 wrote to memory of 4148	4584	cmd.exe	94
PID 4584 wrote to memory of 4148	4584	cmd.exe	94
PID 1968 wrote to memory of 5300	1968	cmd.exe	99
PID 1968 wrote to memory of 5300	1968	cmd.exe	99
PID 1968 wrote to memory of 5300	1968	cmd.exe	99
PID 1508 wrote to memory of 3004	1508	cmd.exe	104
PID 1508 wrote to memory of 3004	1508	cmd.exe	104
PID 1508 wrote to memory of 3004	1508	cmd.exe	104
PID 5384 wrote to memory of 1304	5384	cmd.exe	107
PID 5384 wrote to memory of 1304	5384	cmd.exe	107
PID 5384 wrote to memory of 1304	5384	cmd.exe	107
PID 2732 wrote to memory of 4900	2732	cmd.exe	111
PID 2732 wrote to memory of 4900	2732	cmd.exe	111
PID 2732 wrote to memory of 4900	2732	cmd.exe	111
PID 5376 wrote to memory of 2456	5376	cmd.exe	114
PID 5376 wrote to memory of 2456	5376	cmd.exe	114
PID 5376 wrote to memory of 2456	5376	cmd.exe	114
PID 3980 wrote to memory of 5820	3980	cmd.exe	117
PID 3980 wrote to memory of 5820	3980	cmd.exe	117
PID 3980 wrote to memory of 5820	3980	cmd.exe	117
PID 3700 wrote to memory of 440	3700	cmd.exe	122
PID 3700 wrote to memory of 440	3700	cmd.exe	122
PID 3700 wrote to memory of 440	3700	cmd.exe	122
PID 2804 wrote to memory of 3612	2804	cmd.exe	125
PID 2804 wrote to memory of 3612	2804	cmd.exe	125
PID 2804 wrote to memory of 3612	2804	cmd.exe	125
PID 1128 wrote to memory of 2244	1128	cmd.exe	128
PID 1128 wrote to memory of 2244	1128	cmd.exe	128
PID 1128 wrote to memory of 2244	1128	cmd.exe	128
PID 2652 wrote to memory of 1680	2652	cmd.exe	131
PID 2652 wrote to memory of 1680	2652	cmd.exe	131
PID 2652 wrote to memory of 1680	2652	cmd.exe	131
PID 1716 wrote to memory of 3444	1716	cmd.exe	134
PID 1716 wrote to memory of 3444	1716	cmd.exe	134
PID 1716 wrote to memory of 3444	1716	cmd.exe	134
PID 5296 wrote to memory of 3756	5296	cmd.exe	137
PID 5296 wrote to memory of 3756	5296	cmd.exe	137
PID 5296 wrote to memory of 3756	5296	cmd.exe	137
PID 1176 wrote to memory of 864	1176	cmd.exe	140
PID 1176 wrote to memory of 864	1176	cmd.exe	140
PID 1176 wrote to memory of 864	1176	cmd.exe	140
PID 1136 wrote to memory of 3584	1136	cmd.exe	143
PID 1136 wrote to memory of 3584	1136	cmd.exe	143
PID 1136 wrote to memory of 3584	1136	cmd.exe	143
PID 5060 wrote to memory of 2204	5060	cmd.exe	146
PID 5060 wrote to memory of 2204	5060	cmd.exe	146
PID 5060 wrote to memory of 2204	5060	cmd.exe	146
PID 4176 wrote to memory of 4556	4176	cmd.exe	149
PID 4176 wrote to memory of 4556	4176	cmd.exe	149
PID 4176 wrote to memory of 4556	4176	cmd.exe	149
PID 6096 wrote to memory of 5936	6096	cmd.exe	152
PID 6096 wrote to memory of 5936	6096	cmd.exe	152
PID 6096 wrote to memory of 5936	6096	cmd.exe	152
PID 1816 wrote to memory of 1876	1816	cmd.exe	155
PID 1816 wrote to memory of 1876	1816	cmd.exe	155
PID 1816 wrote to memory of 1876	1816	cmd.exe	155
PID 4992 wrote to memory of 4768	4992	cmd.exe	158
PID 4992 wrote to memory of 4768	4992	cmd.exe	158
PID 4992 wrote to memory of 4768	4992	cmd.exe	158
PID 4404 wrote to memory of 1084	4404	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5384
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5376
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6096
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4364
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:836
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4292
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:744
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2200
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:744
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Checks processor information in registry
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5996
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elbsnyxauza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\giautuetfdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrrepdxctjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xqaoxokdhuu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulrwslxucwm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fwrsrlcrrsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulfzhusbrcy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\msykedbvcwx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cghnqtzogvx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\crtdywdfage = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fzmtlgwsqao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcdqfkzllto = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ljemhpxmlhx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrbepbsnjqj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fryniasurje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjtetzhlldw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\blfwlscehmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ohwjyorfnuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqpmgbssfbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xyjavrcqcvp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nmsyldeujhy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhcuxrwdinr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mdsmmynxniy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fgqgjfuaecb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oldfkxxjsou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ffuanrtvnfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fojepuxnomt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nykddauxgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzmpgdtnroz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kjirvjdpxsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dqiyinsuchb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nntqlgnjryk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lurvdhihwzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gquscxirvhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rtyifcyhhzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cqmhwekwbrz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\onzeeaqldsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ukdxuvqrglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pgioguibrta = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpxodhrirtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gimxsmtvduj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjbulagphkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sgoptkdimgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fqgothuvgok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\juitlnkzdxe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bplbpwhrpgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gufjfbdhxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\imxqkpdeobr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjulbshuwdi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mnpyftjjcnk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frhcnymzhuy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tojxsyrcfmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hcvwxpvkaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fvsqauvuzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fwkdrcolcwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlnftmxmaee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhfjfcwjbgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\acsjlgcrtnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kyjhhmdrcyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dogjytbkkeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ftqvcihtayw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fhoejoppxoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pppckuzziew = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fheuzwxqrrh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe"	2025-04-10_fda0bb9e0800968ae8ddc387b47a2644_elex_gandcrab.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads