SmartHawk

6.0

高危

50 个模型检测该样本为恶意！

重新分析

下载样本

007b5f204f5adfa631bab173a413a849da6d36cb198e9112777facdd090258f2

3867aff469391fba964309a4ba7a8ca2.exe

分析耗时

89s

最近分析

文件大小

728.5KB

静态报毒动态报毒 100% AGEN AI SCORE=100 AIDETECTVM ARTEMIS CONFIDENCE FILECODER FILECRYPTER GENERICKD HERUGN HIGH CONFIDENCE HYDRA HYDRACRYPT IYLN LKDZ MALWARE1 MALWARE@#215950KU0W2QE OCCAMY QVM11 R06EC0PI220 SCORE SUSGEN TMGFAEO@XBL UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Ransom:Win32/Filecoder.cb98fb36	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201228	21.1.5827.0
Tencent	Win32.Trojan.Gen.Lkdz	20201228	1.0.0.1
Kingsoft		20201228	2017.9.26.565
McAfee	Artemis!3867AFF46939	20201228	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.916977364159064

section

{'size_of_data': '0x000b5e00', 'virtual_address': '0x00152000', 'entropy': 7.916977364159064, 'name': 'UPX1', 'virtual_size': '0x000b6000'}

description

A section with a high entropy has been found

entropy

0.9993131868131868

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 个事件)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 438 个事件)

file	C:\Python27\Lib\distutils\tests\__init__.py
file	C:\Python27\Lib\email\errors.pyc
file	C:\Python27\Lib\email\mime\multipart.py
file	C:\Python27\Lib\codeop.py
file	C:\Python27\Lib\encodings\cp1253.py
file	C:\Python27\Lib\ctypes\test\test_win32.py
file	C:\Python27\Lib\email\mime\audio.py
file	C:\Python27\Lib\email\_parseaddr.pyc
file	C:\Python27\Lib\copy_reg.pyc
file	C:\Python27\Lib\bisect.pyc
file	C:\Python27\Lib\email\feedparser.py
file	C:\Python27\Lib\__phello__.foo.py
file	C:\Python27\Lib\distutils\log.py
file	C:\Python27\Lib\antigravity.py
file	C:\Python27\Lib\chunk.py
file	C:\Python27\Lib\UserDict.py
file	C:\Python27\Lib\distutils\errors.py
file	C:\Python27\Lib\distutils\tests\test_bdist.py
file	C:\Python27\Lib\SimpleHTTPServer.pyc
file	C:\Python27\Lib\bsddb\test\test_replication.py
file	C:\Python27\Lib\distutils\command\bdist.py
file	C:\Python27\Lib\ctypes\test\test_buffers.py
file	C:\Python27\Lib\dbhash.py
file	C:\Python27\Lib\ctypes\macholib\dyld.py
file	C:\Python27\Lib\HTMLParser.py
file	C:\Python27\Lib\commands.py
file	C:\Python27\Lib\email\test\data\msg_32.txt
file	C:\Python27\Lib\compiler\future.py
file	C:\Python27\Lib\bsddb\dbshelve.py
file	C:\Python27\Lib\ctypes\test\test_keeprefs.py
file	C:\Python27\Lib\ast.py
file	C:\Python27\Lib\bsddb\dbutils.py
file	C:\Python27\Lib\encodings\big5hkscs.py
file	C:\Python27\Lib\ctypes\__init__.py
file	C:\Python27\Lib\_MozillaCookieJar.py
file	C:\Python27\Lib\email\header.py
file	C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
file	C:\Python27\Lib\colorsys.py
file	C:\Python27\Lib\distutils\tests\test_version.py
file	C:\Python27\Lib\encodings\cp1140.py
file	C:\Python27\Lib\ctypes\test\test_incomplete.py
file	C:\Python27\Lib\distutils\unixccompiler.py
file	C:\Python27\Lib\distutils\tests\test_sysconfig.py
file	C:\Python27\Lib\encodings\base64_codec.py
file	C:\Python27\Lib\distutils\command\build_scripts.py
file	C:\Python27\Lib\distutils\log.pyc
file	C:\Python27\Lib\distutils\command\bdist_msi.py
file	C:\Python27\Lib\ctypes\test\test_cast.py
file	C:\Python27\Lib\email\test\data\msg_28.txt
file	C:\Python27\Lib\distutils\tests\test_build_clib.py

Writes a potential ransom message to disk (50 out of 72 个事件)

Time & API	Arguments	Status
1619345034.387026 NtWriteFile	file_handle: 0x00000154 filepath: C:\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.402026 NtWriteFile	file_handle: 0x00000154 filepath: C:\PerfLogs\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.402026 NtWriteFile	file_handle: 0x00000154 filepath: C:\PerfLogs\Admin\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.418026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.434026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.465026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Assistance\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.481026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Assistance\Client\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.512026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.512026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.731026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.856026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Crypto\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.856026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Crypto\DSS\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.918026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345034.981026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Crypto\Keys\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.356026 NtWriteFile	file_handle: 0x00000158 filepath: C:\ProgramData\Microsoft\Crypto\RSA\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.371026 NtWriteFile	file_handle: 0x00000158 filepath: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.387026 NtWriteFile	file_handle: 0x00000158 filepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.465026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\DRM\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.496026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\DRM\Server\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.512026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.527026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Device\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.543026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.574026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.606026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Task\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.652026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.684026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\zh-CN\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.699026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.746026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\zh-CN\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.762026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\DeviceSync\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.777026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\IdentityCRL\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.809026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\IlsCache\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.934026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\MF\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.965026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Media Player\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.981026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Network\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345035.996026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Network\Connections\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345036.012026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Network\Downloader\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345036.027026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\RAC\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345036.027026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\RAC\Outbound\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345036.043026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\RAC\PublishedData\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345037.621026 NtWriteFile	file_handle: 0x00000158 filepath: C:\ProgramData\Microsoft\RAC\StateData\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345037.762026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\RAC\Temp\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345037.902026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Search\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345037.949026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Search\Data\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345037.981026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Search\Data\Applications\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.012026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Search\Data\Temp\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.027026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.059026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\User Account Pictures\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.074026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.824026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Vault\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success
1619345038.887026 NtWriteFile	file_handle: 0x00000154 filepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\__________WHY FILES NOT WORK__________.txt buffer: Attention! Your network has been compromised and all of your files has been encrytped by "Hydra Ransomware" team! We used nextgen strong cryptography in order to encrypt your files. The only way to restore your files is to buy decryptor! * You must know the worst thing is happened now and you cannot hide our successful attack! Understand if payment is not made on time. All your company data will be permanently destroyed. Your backups has been fatal and it is just a waste of your precious time if going to try them! * IF YOU UNDERSTAND THE SITUATION, FOLLOW THE RECOVERY INSTRUCTIONS BELOW 1. Copy your Network ID and send to our email. Network ID : DM5V6T52K4 Email : crossroads2371@protonmail.ch 2. You will receive a amount and payment order. 3. We will send you decryptor with private key to recovery your files. * You can ask for 1 free file decryption as proof of work in the first correspondence! * Your time for save your files has limited to one week (from first impact) before we delete our temporary email address! * Data manipulation cause permanent loss of files! offset: 0	success

Detects the presence of Wine emulator (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345034.215026 LdrGetProcedureAddress	ordinal: 0 module: ntdll module_address: 0x77d30000 function_address: 0x0018fe54 function_name: wine_get_version	failed	3221225785	0

Performs 436 file moves indicative of a ransomware file encryption process (50 out of 436 个事件)

Time & API	Arguments	Status	Return
1619345034.590026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D.$TMP	success	1
1619345034.684026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck.$TMP	success	1
1619345034.824026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D.$TMP	success	1
1619345034.856026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck.$TMP	success	1
1619345035.340026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP newfilepath: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee newfilepath_r: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP	success	1
1619345035.449026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP newfilepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee newfilepath_r: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP	success	1
1619345035.887026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.$TMP newfilepath: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml newfilepath_r: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.$TMP	success	1
1619345035.934026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.$TMP newfilepath: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml newfilepath_r: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.$TMP	success	1
1619345037.621026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.$TMP newfilepath: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf newfilepath_r: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.$TMP	failed	0
1619345037.746026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat.$TMP newfilepath: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat newfilepath_r: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat.$TMP	success	1
1619345038.512026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.$TMP newfilepath: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp newfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.$TMP	success	1
1619345038.777026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.$TMP newfilepath: C:\ProgramData\Microsoft\User Account Pictures\user.bmp newfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\user.bmp flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.$TMP	success	1
1619345038.934026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.$TMP	success	1
1619345038.965026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.$TMP	success	1
1619345038.981026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.$TMP	success	1
1619345039.402026 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico.$TMP newfilepath: C:\Python27\DLLs\py.ico newfilepath_r: C:\Python27\DLLs\py.ico flags: 1 oldfilepath_r: C:\Python27\DLLs\py.ico.$TMP	success	1
1619345039.559026 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico.$TMP newfilepath: C:\Python27\DLLs\pyc.ico newfilepath_r: C:\Python27\DLLs\pyc.ico flags: 1 oldfilepath_r: C:\Python27\DLLs\pyc.ico.$TMP	success	1
1619345059.621026 MoveFileWithProgressW	oldfilepath: C:\Python27\Doc\python2718.chm.$TMP newfilepath: C:\Python27\Doc\python2718.chm newfilepath_r: C:\Python27\Doc\python2718.chm flags: 1 oldfilepath_r: C:\Python27\Doc\python2718.chm.$TMP	success	1
1619345059.777026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\BaseHTTPServer.pyc.$TMP newfilepath: C:\Python27\Lib\BaseHTTPServer.pyc newfilepath_r: C:\Python27\Lib\BaseHTTPServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\BaseHTTPServer.pyc.$TMP	success	1
1619345059.856026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Bastion.py.$TMP newfilepath: C:\Python27\Lib\Bastion.py newfilepath_r: C:\Python27\Lib\Bastion.py flags: 1 oldfilepath_r: C:\Python27\Lib\Bastion.py.$TMP	success	1
1619345059.934026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\CGIHTTPServer.py.$TMP newfilepath: C:\Python27\Lib\CGIHTTPServer.py newfilepath_r: C:\Python27\Lib\CGIHTTPServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\CGIHTTPServer.py.$TMP	success	1
1619345060.059026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\ConfigParser.py.$TMP newfilepath: C:\Python27\Lib\ConfigParser.py newfilepath_r: C:\Python27\Lib\ConfigParser.py flags: 1 oldfilepath_r: C:\Python27\Lib\ConfigParser.py.$TMP	success	1
1619345060.152026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\ConfigParser.pyc.$TMP newfilepath: C:\Python27\Lib\ConfigParser.pyc newfilepath_r: C:\Python27\Lib\ConfigParser.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\ConfigParser.pyc.$TMP	success	1
1619345060.262026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Cookie.py.$TMP newfilepath: C:\Python27\Lib\Cookie.py newfilepath_r: C:\Python27\Lib\Cookie.py flags: 1 oldfilepath_r: C:\Python27\Lib\Cookie.py.$TMP	success	1
1619345060.387026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Cookie.pyc.$TMP newfilepath: C:\Python27\Lib\Cookie.pyc newfilepath_r: C:\Python27\Lib\Cookie.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\Cookie.pyc.$TMP	success	1
1619345060.512026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\DocXMLRPCServer.py.$TMP newfilepath: C:\Python27\Lib\DocXMLRPCServer.py newfilepath_r: C:\Python27\Lib\DocXMLRPCServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\DocXMLRPCServer.py.$TMP	success	1
1619345060.684026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\HTMLParser.py.$TMP newfilepath: C:\Python27\Lib\HTMLParser.py newfilepath_r: C:\Python27\Lib\HTMLParser.py flags: 1 oldfilepath_r: C:\Python27\Lib\HTMLParser.py.$TMP	success	1
1619345060.746026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\HTMLParser.pyc.$TMP newfilepath: C:\Python27\Lib\HTMLParser.pyc newfilepath_r: C:\Python27\Lib\HTMLParser.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\HTMLParser.pyc.$TMP	success	1
1619345060.793026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\MimeWriter.py.$TMP newfilepath: C:\Python27\Lib\MimeWriter.py newfilepath_r: C:\Python27\Lib\MimeWriter.py flags: 1 oldfilepath_r: C:\Python27\Lib\MimeWriter.py.$TMP	success	1
1619345060.902026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Queue.py.$TMP newfilepath: C:\Python27\Lib\Queue.py newfilepath_r: C:\Python27\Lib\Queue.py flags: 1 oldfilepath_r: C:\Python27\Lib\Queue.py.$TMP	success	1
1619345060.949026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Queue.pyc.$TMP newfilepath: C:\Python27\Lib\Queue.pyc newfilepath_r: C:\Python27\Lib\Queue.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\Queue.pyc.$TMP	success	1
1619345061.012026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleHTTPServer.py.$TMP newfilepath: C:\Python27\Lib\SimpleHTTPServer.py newfilepath_r: C:\Python27\Lib\SimpleHTTPServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleHTTPServer.py.$TMP	success	1
1619345061.059026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleHTTPServer.pyc.$TMP newfilepath: C:\Python27\Lib\SimpleHTTPServer.pyc newfilepath_r: C:\Python27\Lib\SimpleHTTPServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleHTTPServer.pyc.$TMP	success	1
1619345061.199026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleXMLRPCServer.py.$TMP newfilepath: C:\Python27\Lib\SimpleXMLRPCServer.py newfilepath_r: C:\Python27\Lib\SimpleXMLRPCServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleXMLRPCServer.py.$TMP	success	1
1619345061.293026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SocketServer.py.$TMP newfilepath: C:\Python27\Lib\SocketServer.py newfilepath_r: C:\Python27\Lib\SocketServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SocketServer.py.$TMP	success	1
1619345061.402026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SocketServer.pyc.$TMP newfilepath: C:\Python27\Lib\SocketServer.pyc newfilepath_r: C:\Python27\Lib\SocketServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\SocketServer.pyc.$TMP	success	1
1619345061.465026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\StringIO.py.$TMP newfilepath: C:\Python27\Lib\StringIO.py newfilepath_r: C:\Python27\Lib\StringIO.py flags: 1 oldfilepath_r: C:\Python27\Lib\StringIO.py.$TMP	success	1
1619345061.527026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\StringIO.pyc.$TMP newfilepath: C:\Python27\Lib\StringIO.pyc newfilepath_r: C:\Python27\Lib\StringIO.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\StringIO.pyc.$TMP	success	1
1619345061.574026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserDict.py.$TMP newfilepath: C:\Python27\Lib\UserDict.py newfilepath_r: C:\Python27\Lib\UserDict.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserDict.py.$TMP	success	1
1619345061.637026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserDict.pyc.$TMP newfilepath: C:\Python27\Lib\UserDict.pyc newfilepath_r: C:\Python27\Lib\UserDict.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\UserDict.pyc.$TMP	success	1
1619345061.668026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserList.py.$TMP newfilepath: C:\Python27\Lib\UserList.py newfilepath_r: C:\Python27\Lib\UserList.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserList.py.$TMP	success	1
1619345061.731026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserString.py.$TMP newfilepath: C:\Python27\Lib\UserString.py newfilepath_r: C:\Python27\Lib\UserString.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserString.py.$TMP	success	1
1619345061.777026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_LWPCookieJar.py.$TMP newfilepath: C:\Python27\Lib\_LWPCookieJar.py newfilepath_r: C:\Python27\Lib\_LWPCookieJar.py flags: 1 oldfilepath_r: C:\Python27\Lib\_LWPCookieJar.py.$TMP	success	1
1619345061.824026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_LWPCookieJar.pyc.$TMP newfilepath: C:\Python27\Lib\_LWPCookieJar.pyc newfilepath_r: C:\Python27\Lib\_LWPCookieJar.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\_LWPCookieJar.pyc.$TMP	success	1
1619345061.887026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_MozillaCookieJar.py.$TMP newfilepath: C:\Python27\Lib\_MozillaCookieJar.py newfilepath_r: C:\Python27\Lib\_MozillaCookieJar.py flags: 1 oldfilepath_r: C:\Python27\Lib\_MozillaCookieJar.py.$TMP	success	1
1619345062.043026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_MozillaCookieJar.pyc.$TMP newfilepath: C:\Python27\Lib\_MozillaCookieJar.pyc newfilepath_r: C:\Python27\Lib\_MozillaCookieJar.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\_MozillaCookieJar.pyc.$TMP	success	1
1619345062.184026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__future__.py.$TMP newfilepath: C:\Python27\Lib\__future__.py newfilepath_r: C:\Python27\Lib\__future__.py flags: 1 oldfilepath_r: C:\Python27\Lib\__future__.py.$TMP	success	1
1619345062.324026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__future__.pyc.$TMP newfilepath: C:\Python27\Lib\__future__.pyc newfilepath_r: C:\Python27\Lib\__future__.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\__future__.pyc.$TMP	success	1
1619345062.371026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__phello__.foo.py.$TMP newfilepath: C:\Python27\Lib\__phello__.foo.py newfilepath_r: C:\Python27\Lib\__phello__.foo.py flags: 1 oldfilepath_r: C:\Python27\Lib\__phello__.foo.py.$TMP	success	1
1619345062.746026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_abcoll.py.$TMP newfilepath: C:\Python27\Lib\_abcoll.py newfilepath_r: C:\Python27\Lib\_abcoll.py flags: 1 oldfilepath_r: C:\Python27\Lib\_abcoll.py.$TMP	success	1

Appends a new file extension or content to 436 files indicative of a ransomware file encryption process (50 out of 436 个事件)

Time & API	Arguments	Status	Return
1619345034.590026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_CValidator.H1D.$TMP	success	1
1619345034.684026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\Help_MValidator.Lck.$TMP	success	1
1619345034.824026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_CValidator.H1D.$TMP	success	1
1619345034.856026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck.$TMP newfilepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck newfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\Help_MValidator.Lck.$TMP	success	1
1619345035.340026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP newfilepath: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee newfilepath_r: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Crypto\Keys\1c22191939c6f803ba0c4ea9bf5b4d67_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP	success	1
1619345035.449026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP newfilepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee newfilepath_r: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee.$TMP	success	1
1619345035.887026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.$TMP newfilepath: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml newfilepath_r: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.$TMP	success	1
1619345035.934026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.$TMP newfilepath: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml newfilepath_r: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.$TMP	success	1
1619345037.621026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.$TMP newfilepath: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf newfilepath_r: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.$TMP	failed	0
1619345037.746026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat.$TMP newfilepath: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat newfilepath_r: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat.$TMP	success	1
1619345038.512026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.$TMP newfilepath: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp newfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.$TMP	success	1
1619345038.777026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.$TMP newfilepath: C:\ProgramData\Microsoft\User Account Pictures\user.bmp newfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\user.bmp flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.$TMP	success	1
1619345038.934026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.$TMP	success	1
1619345038.965026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.$TMP	success	1
1619345038.981026 MoveFileWithProgressW	oldfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.$TMP newfilepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol newfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol flags: 1 oldfilepath_r: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.$TMP	success	1
1619345039.402026 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico.$TMP newfilepath: C:\Python27\DLLs\py.ico newfilepath_r: C:\Python27\DLLs\py.ico flags: 1 oldfilepath_r: C:\Python27\DLLs\py.ico.$TMP	success	1
1619345039.559026 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico.$TMP newfilepath: C:\Python27\DLLs\pyc.ico newfilepath_r: C:\Python27\DLLs\pyc.ico flags: 1 oldfilepath_r: C:\Python27\DLLs\pyc.ico.$TMP	success	1
1619345059.621026 MoveFileWithProgressW	oldfilepath: C:\Python27\Doc\python2718.chm.$TMP newfilepath: C:\Python27\Doc\python2718.chm newfilepath_r: C:\Python27\Doc\python2718.chm flags: 1 oldfilepath_r: C:\Python27\Doc\python2718.chm.$TMP	success	1
1619345059.777026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\BaseHTTPServer.pyc.$TMP newfilepath: C:\Python27\Lib\BaseHTTPServer.pyc newfilepath_r: C:\Python27\Lib\BaseHTTPServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\BaseHTTPServer.pyc.$TMP	success	1
1619345059.856026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Bastion.py.$TMP newfilepath: C:\Python27\Lib\Bastion.py newfilepath_r: C:\Python27\Lib\Bastion.py flags: 1 oldfilepath_r: C:\Python27\Lib\Bastion.py.$TMP	success	1
1619345059.934026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\CGIHTTPServer.py.$TMP newfilepath: C:\Python27\Lib\CGIHTTPServer.py newfilepath_r: C:\Python27\Lib\CGIHTTPServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\CGIHTTPServer.py.$TMP	success	1
1619345060.059026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\ConfigParser.py.$TMP newfilepath: C:\Python27\Lib\ConfigParser.py newfilepath_r: C:\Python27\Lib\ConfigParser.py flags: 1 oldfilepath_r: C:\Python27\Lib\ConfigParser.py.$TMP	success	1
1619345060.152026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\ConfigParser.pyc.$TMP newfilepath: C:\Python27\Lib\ConfigParser.pyc newfilepath_r: C:\Python27\Lib\ConfigParser.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\ConfigParser.pyc.$TMP	success	1
1619345060.262026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Cookie.py.$TMP newfilepath: C:\Python27\Lib\Cookie.py newfilepath_r: C:\Python27\Lib\Cookie.py flags: 1 oldfilepath_r: C:\Python27\Lib\Cookie.py.$TMP	success	1
1619345060.387026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Cookie.pyc.$TMP newfilepath: C:\Python27\Lib\Cookie.pyc newfilepath_r: C:\Python27\Lib\Cookie.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\Cookie.pyc.$TMP	success	1
1619345060.512026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\DocXMLRPCServer.py.$TMP newfilepath: C:\Python27\Lib\DocXMLRPCServer.py newfilepath_r: C:\Python27\Lib\DocXMLRPCServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\DocXMLRPCServer.py.$TMP	success	1
1619345060.684026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\HTMLParser.py.$TMP newfilepath: C:\Python27\Lib\HTMLParser.py newfilepath_r: C:\Python27\Lib\HTMLParser.py flags: 1 oldfilepath_r: C:\Python27\Lib\HTMLParser.py.$TMP	success	1
1619345060.746026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\HTMLParser.pyc.$TMP newfilepath: C:\Python27\Lib\HTMLParser.pyc newfilepath_r: C:\Python27\Lib\HTMLParser.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\HTMLParser.pyc.$TMP	success	1
1619345060.793026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\MimeWriter.py.$TMP newfilepath: C:\Python27\Lib\MimeWriter.py newfilepath_r: C:\Python27\Lib\MimeWriter.py flags: 1 oldfilepath_r: C:\Python27\Lib\MimeWriter.py.$TMP	success	1
1619345060.902026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Queue.py.$TMP newfilepath: C:\Python27\Lib\Queue.py newfilepath_r: C:\Python27\Lib\Queue.py flags: 1 oldfilepath_r: C:\Python27\Lib\Queue.py.$TMP	success	1
1619345060.949026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\Queue.pyc.$TMP newfilepath: C:\Python27\Lib\Queue.pyc newfilepath_r: C:\Python27\Lib\Queue.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\Queue.pyc.$TMP	success	1
1619345061.012026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleHTTPServer.py.$TMP newfilepath: C:\Python27\Lib\SimpleHTTPServer.py newfilepath_r: C:\Python27\Lib\SimpleHTTPServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleHTTPServer.py.$TMP	success	1
1619345061.059026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleHTTPServer.pyc.$TMP newfilepath: C:\Python27\Lib\SimpleHTTPServer.pyc newfilepath_r: C:\Python27\Lib\SimpleHTTPServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleHTTPServer.pyc.$TMP	success	1
1619345061.199026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SimpleXMLRPCServer.py.$TMP newfilepath: C:\Python27\Lib\SimpleXMLRPCServer.py newfilepath_r: C:\Python27\Lib\SimpleXMLRPCServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SimpleXMLRPCServer.py.$TMP	success	1
1619345061.293026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SocketServer.py.$TMP newfilepath: C:\Python27\Lib\SocketServer.py newfilepath_r: C:\Python27\Lib\SocketServer.py flags: 1 oldfilepath_r: C:\Python27\Lib\SocketServer.py.$TMP	success	1
1619345061.402026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\SocketServer.pyc.$TMP newfilepath: C:\Python27\Lib\SocketServer.pyc newfilepath_r: C:\Python27\Lib\SocketServer.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\SocketServer.pyc.$TMP	success	1
1619345061.465026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\StringIO.py.$TMP newfilepath: C:\Python27\Lib\StringIO.py newfilepath_r: C:\Python27\Lib\StringIO.py flags: 1 oldfilepath_r: C:\Python27\Lib\StringIO.py.$TMP	success	1
1619345061.527026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\StringIO.pyc.$TMP newfilepath: C:\Python27\Lib\StringIO.pyc newfilepath_r: C:\Python27\Lib\StringIO.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\StringIO.pyc.$TMP	success	1
1619345061.574026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserDict.py.$TMP newfilepath: C:\Python27\Lib\UserDict.py newfilepath_r: C:\Python27\Lib\UserDict.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserDict.py.$TMP	success	1
1619345061.637026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserDict.pyc.$TMP newfilepath: C:\Python27\Lib\UserDict.pyc newfilepath_r: C:\Python27\Lib\UserDict.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\UserDict.pyc.$TMP	success	1
1619345061.668026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserList.py.$TMP newfilepath: C:\Python27\Lib\UserList.py newfilepath_r: C:\Python27\Lib\UserList.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserList.py.$TMP	success	1
1619345061.731026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\UserString.py.$TMP newfilepath: C:\Python27\Lib\UserString.py newfilepath_r: C:\Python27\Lib\UserString.py flags: 1 oldfilepath_r: C:\Python27\Lib\UserString.py.$TMP	success	1
1619345061.777026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_LWPCookieJar.py.$TMP newfilepath: C:\Python27\Lib\_LWPCookieJar.py newfilepath_r: C:\Python27\Lib\_LWPCookieJar.py flags: 1 oldfilepath_r: C:\Python27\Lib\_LWPCookieJar.py.$TMP	success	1
1619345061.824026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_LWPCookieJar.pyc.$TMP newfilepath: C:\Python27\Lib\_LWPCookieJar.pyc newfilepath_r: C:\Python27\Lib\_LWPCookieJar.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\_LWPCookieJar.pyc.$TMP	success	1
1619345061.887026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_MozillaCookieJar.py.$TMP newfilepath: C:\Python27\Lib\_MozillaCookieJar.py newfilepath_r: C:\Python27\Lib\_MozillaCookieJar.py flags: 1 oldfilepath_r: C:\Python27\Lib\_MozillaCookieJar.py.$TMP	success	1
1619345062.043026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_MozillaCookieJar.pyc.$TMP newfilepath: C:\Python27\Lib\_MozillaCookieJar.pyc newfilepath_r: C:\Python27\Lib\_MozillaCookieJar.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\_MozillaCookieJar.pyc.$TMP	success	1
1619345062.184026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__future__.py.$TMP newfilepath: C:\Python27\Lib\__future__.py newfilepath_r: C:\Python27\Lib\__future__.py flags: 1 oldfilepath_r: C:\Python27\Lib\__future__.py.$TMP	success	1
1619345062.324026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__future__.pyc.$TMP newfilepath: C:\Python27\Lib\__future__.pyc newfilepath_r: C:\Python27\Lib\__future__.pyc flags: 1 oldfilepath_r: C:\Python27\Lib\__future__.pyc.$TMP	success	1
1619345062.371026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\__phello__.foo.py.$TMP newfilepath: C:\Python27\Lib\__phello__.foo.py newfilepath_r: C:\Python27\Lib\__phello__.foo.py flags: 1 oldfilepath_r: C:\Python27\Lib\__phello__.foo.py.$TMP	success	1
1619345062.746026 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\_abcoll.py.$TMP newfilepath: C:\Python27\Lib\_abcoll.py newfilepath_r: C:\Python27\Lib\_abcoll.py flags: 1 oldfilepath_r: C:\Python27\Lib\_abcoll.py.$TMP	success	1

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.42830376
FireEye	Generic.mg.3867aff469391fba
Qihoo-360	Generic/HEUR/QVM11.1.C727.Malware.Gen
ALYac	Trojan.Ransom.HydraCrypt
Cylance	Unsafe
K7AntiVirus	Trojan ( 005648b11 )
Alibaba	Ransom:Win32/Filecoder.cb98fb36
K7GW	Trojan ( 005648b11 )
Cybereason	malicious.469391
Arcabit	Trojan.Generic.D28D8A28
Cyren	W32/Trojan.IYLN-5940
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan-Ransom.Win32.Gen.wdk
BitDefender	Trojan.GenericKD.42830376
NANO-Antivirus	Trojan.Win32.Encoder.herugn
Paloalto	generic.ml
Tencent	Win32.Trojan.Gen.Lkdz
Ad-Aware	Trojan.GenericKD.42830376
Sophos	Mal/Generic-S
Comodo	Malware@#215950ku0w2qe
F-Secure	Heuristic.HEUR/AGEN.1131867
DrWeb	Trojan.Encoder.31197
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom_Gen.R06EC0PI220
McAfee-GW-Edition	BehavesLike.Win32.Dropper.bc
Emsisoft	Trojan.GenericKD.42830376 (B)
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1131867
Microsoft	Trojan:Win32/Occamy.C00
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	Trojan-Ransom.Win32.Gen.wdk
GData	Trojan.GenericKD.42830376
Cynet	Malicious (score: 100)
McAfee	Artemis!3867AFF46939
MAX	malware (ai score=100)
VBA32	Trojan.Encoder
Malwarebytes	Ransom.Hydra.GO
ESET-NOD32	a variant of Win32/Filecoder.OBA
TrendMicro-HouseCall	Ransom_Gen.R06EC0PI220
Ikarus	Trojan-Ransom.FileCrypter
Fortinet	W32/Filecoder.OBA!tr.ransom
BitDefenderTheta	Gen:NN.ZexaF.34700.TmGfaeO@xbl
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
MaxSecure	Trojan.Malware.73859634.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1970-01-01 08:00:00

Imports

Library KERNEL32.DLL:

• 0x608050 LoadLibraryA

• 0x608054 ExitProcess

• 0x608058 GetProcAddress

• 0x60805c VirtualProtect

Library winmm.dll:

• 0x608064 timeEndPeriod

Library ws2_32.dll:

• 0x60806c WSAGetOverlappedResult

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.