SmartHawk

8.2

高危

65 个模型检测该样本为恶意！

重新分析

下载样本

3e034d9dcffdebde81a36c094aa9c730935345eb4c51912223e007deb152689b

e46f86c9b8f7fa1c744d1548273e8b43.exe

分析耗时

126s

最近分析

文件大小

7.0KB

静态报毒动态报毒 AI SCORE=100 AIDETECTVM ALI2000010 AMGFA8BIRLAI ARTEMIS CONFIDENCE CRYPTOTORLOCKER2015 DXUUHL ELDORADO ENCODERXOR ER@4O1AR2 FILECODER FILELOCK FILEREPMALWARE H50DEYUDIVS HIGH CONFIDENCE HOAX KRYPTIK MALICIOUS PE MALWARE2 R25524 RANSOMXOR SCORE SORIKRYPT UNSAFE XORIST ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!E46F86C9B8F7	20200929	6.0.6.653
Baidu	Win32.Trojan.Filecoder.g	20190318	1.0.0.2
Alibaba	Ransom:Win32/generic.ali2000010	20190527	0.3.0.5
Avast	Win32:Evo-gen [Susp]	20201001	18.4.3895.0
Kingsoft		20200929	2013.8.14.323
Tencent	Trojan.Win32.CryptoTorLocker2015.a	20200929	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\HOW TO DECRYPT FILES.txt

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

IMAGE

Steals private information from local Internet browsers (40 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\GPUCache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Extension State\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Sessions\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Session Storage\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\HOW TO DECRYPT FILES.txt

Creates (office) documents on the filesystem (4 个事件)

file	C:\Users\Administrator.Oskar-PC\Documents\DiRKGjtPvHs.ppt
file	C:\Users\Administrator.Oskar-PC\Documents\IokZIhjjrQOQik.pptx
file	C:\Users\Administrator.Oskar-PC\Documents\ENHXaRYUnuaCp.pptx
file	C:\Users\Administrator.Oskar-PC\Documents\CzqSXAVPsu.pptx

Creates executable files on the filesystem (50 out of 149 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Minesweeper.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Internet Spades.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Hearts.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Solitaire.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Purble Place.lnk
file	C:\Users\Oskar\Links\Downloads.lnk

Creates a shortcut to an executable file (50 out of 148 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Minesweeper.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Internet Checkers.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Internet Spades.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Hearts.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Solitaire.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Purble Place.lnk
file	C:\Users\Oskar\Links\Downloads.lnk

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.703636098516607

section

{'size_of_data': '0x00001600', 'virtual_address': '0x00009000', 'entropy': 7.703636098516607, 'name': 'UPX1', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

entropy

0.8461538461538461

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (5 个事件)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter	reg_value	C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7c6Wvdoy0nAKv8v.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
file	C:\Users\Oskar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
file	C:\Windows\Tasks\HOW TO DECRYPT FILES.txt

Writes a potential ransom message to disk (50 out of 2542 个事件)

Time & API	Arguments	Status
1620809363.581081 NtWriteFile	file_handle: 0x0000008c filepath: C:\$Recycle.Bin\S-1-5-21-3154413779-3303930873-3537499701-1001\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.597081 NtWriteFile	file_handle: 0x0000008c filepath: C:\$Recycle.Bin\S-1-5-21-3154413779-3303930873-3537499701-500\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.597081 NtWriteFile	file_handle: 0x00000084 filepath: C:\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.628081 NtWriteFile	file_handle: 0x00000094 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.644081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.675081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.691081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.706081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.738081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.753081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.785081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\en-US\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.847081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.863081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.894081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.910081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.910081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.925081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.941081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809363.956081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.003081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.035081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.191081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.206081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.206081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.222081 NtWriteFile	file_handle: 0x0000009c filepath: C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.535081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.644081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.660081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.753081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.800081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.831081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.847081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.847081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.878081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.894081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.910081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.925081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.941081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.972081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.972081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.988081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809364.988081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.003081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.019081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.035081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.035081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.050081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.050081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.066081 NtWriteFile	file_handle: 0x00000098 filepath: C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success
1620809365.081081 NtWriteFile	file_handle: 0x00000094 filepath: C:\Program Files\Common Files\Microsoft Shared\MSInfo\HOW TO DECRYPT FILES.txt buffer: Your files have been encrypted with our software. Photos, documents etc ... WHAT I CAN DO?? You can pay $ 20 in bitcoins to this address: 3QgJDoVEaksAs9kFz1vcueG8DKF4hPrARW As soon as you have made the payment, contact us in this email and we will give you the password bufalo@boximail.com IMPORTANT You must have proof of payment offset: 0	success

Detects VirtualBox through the presence of a file (1 个事件)

file	C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_980b85158a5cdcbf\HOW TO DECRYPT FILES.txt

Drops 215 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 215 个事件)

file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\56jcwhq9\s[3].htm.emilisub
file	c:\users\administrator.oskar-pc\documents\cqntcjfqnhqqztvgons.txt.emilisub
file	c:\users\administrator.oskar-pc\appdata\local\microsoft\windows mail\stationery\soft blue.htm.emilisub
file	c:\python27\tools\pynche\readme.txt.emilisub
file	c:\python27\tools\pynche\html40colors.txt.emilisub
file	c:\python27\lib\idlelib\news.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\56jcwhq9\baidu_com[1].htm.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\vpxlxlfm\s[5].htm.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\56jcwhq9\sugrec[2].txt.emilisub
file	c:\python27\lib\email\test\data\msg_05.txt.emilisub
file	c:\python27\lib\test\sgml_input.html.emilisub
file	c:\python27\lib\test\test_doctest.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\27lzindc\sugrec[3].txt.emilisub
file	c:\python27\tcl\tix8.4.3\pref\wmdefault.txt.emilisub
file	c:\python27\lib\test\cjkencodings\euc_kr.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\27lzindc\s[2].htm.emilisub
file	c:\python27\lib\test\cjkencodings\gb2312.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\56jcwhq9\s[4].htm.emilisub
file	c:\python27\lib\site-packages\setuptools-41.2.0.dist-info\entry_points.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\56jcwhq9\s[1].htm.emilisub
file	c:\python27\lib\test\cjkencodings\euc_jp.txt.emilisub
file	c:\python27\lib\email\test\data\msg_29.txt.emilisub
file	c:\python27\lib\test\test_difflib_expect.html.emilisub
file	c:\users\administrator.oskar-pc\documents\dirkgjtpvhs.ppt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\vpxlxlfm\s[3].htm.emilisub
file	c:\python27\lib\email\test\data\msg_17.txt.emilisub
file	c:\python27\lib\test\cjkencodings\big5-utf8.txt.emilisub
file	c:\python27\lib\test\cjkencodings\shift_jis.txt.emilisub
file	c:\python27\lib\email\test\data\msg_22.txt.emilisub
file	c:\python27\lib\email\test\data\msg_10.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\27lzindc\sugrec[4].txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows mail\stationery\stars.htm.emilisub
file	c:\users\administrator.oskar-pc\appdata\roaming\microsoft\windows\cookies\administrator@cn.bing[1].txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\0yemqdaw\sugrec[1].txt.emilisub
file	c:\python27\lib\test\cjkencodings\euc_kr-utf8.txt.emilisub
file	c:\python27\lib\site-packages\pip-19.2.3.dist-info\license.txt.emilisub
file	c:\python27\lib\email\test\data\msg_30.txt.emilisub
file	c:\python27\readme.txt.emilisub
file	c:\users\oskar\appdata\roaming\microsoft\windows\cookies\oskar@microsoft[2].txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\content.ie5\r2qsa7le\login[1].htm.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\vpxlxlfm\s[1].htm.emilisub
file	c:\users\oskar\appdata\roaming\microsoft\windows\cookies\low\oskar@cn.bing[1].txt.emilisub
file	c:\python27\lib\email\test\data\msg_24.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\0yemqdaw\sugrec[5].txt.emilisub
file	c:\users\administrator.oskar-pc\appdata\local\temp\dd_wcf_ca_smci_20210411_130134_200.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\0yemqdaw\s[1].htm.emilisub
file	c:\python27\lib\test\test_doctest3.txt.emilisub
file	c:\python27\lib\email\test\data\msg_33.txt.emilisub
file	c:\users\oskar\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\0yemqdaw\s[2].htm.emilisub
file	c:\python27\lib\email\test\data\msg_11.txt.emilisub

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.78:443

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Ransom.AIG
FireEye	Generic.mg.e46f86c9b8f7fa1c
CAT-QuickHeal	Trojan.Ransom.FO4
McAfee	Artemis!E46F86C9B8F7
Cylance	Unsafe
VIPRE	Trojan.Win32.Ransom.fo (v)
Sangfor	Malware
K7AntiVirus	Trojan ( 005451b81 )
BitDefender	Trojan.Ransom.AIG
K7GW	Trojan ( 005451b81 )
Cybereason	malicious.9b8f7f
Invincea	Troj/Ransom-EY
Baidu	Win32.Trojan.Filecoder.g
Cyren	W32/Filecoder.Y.gen!Eldorado
TotalDefense	Win32/Ransom.A!generic
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.CryptoTorLocker2015-1
Kaspersky	Trojan-Ransom.Win32.Xorist.ln
Alibaba	Ransom:Win32/generic.ali2000010
NANO-Antivirus	Trojan.Win32.Xorist.dxuuhl
ViRobot	Trojan.Win32.Z.Xorist.7168.DB
Avast	Win32:Evo-gen [Susp]
Rising	Ransom.Sorikrypt!8.8822 (TFE:5:H50DeYUdIVS)
Ad-Aware	Trojan.Ransom.AIG
Sophos	Troj/Ransom-EY
Comodo	TrojWare.Win32.Kryptik.ER@4o1ar2
F-Secure	Trojan:W32/RansomCrypt.D
DrWeb	Trojan.Encoder.25389
Zillya	Trojan.Xorist.Win32.1855
TrendMicro	Ransom_XORIST.SMA
McAfee-GW-Edition	BehavesLike.Win32.Generic.zc
Emsisoft	Trojan.Ransom.AIG (B)
SentinelOne	DFI - Malicious PE
GData	Win32.Trojan-Ransom.Xorist.D
Jiangmin	Trojan/Xorist.dl
Avira	TR/Ransom.Xorist.EJ
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Ransom]/Win32.Xorist
Arcabit	Trojan.Ransom.AIG
ZoneAlarm	Trojan-Ransom.Win32.Xorist.ln
Microsoft	Ransom:Win32/Sorikrypt
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Xorist.R25524
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34254.amGfa8BIRLai
ALYac	Trojan.Ransom.Xorist
TACHYON	Trojan/W32.Xorist.12800.C

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2012-01-30 02:49:03

Imports

Library KERNEL32.DLL:

• 0x40b14c LoadLibraryA

• 0x40b150 GetProcAddress

• 0x40b154 VirtualProtect

• 0x40b158 VirtualAlloc

• 0x40b15c VirtualFree

• 0x40b160 ExitProcess

Library advapi32.dll:

• 0x40b168 RegCloseKey

Library comctl32.dll:

• 0x40b170 InitCommonControls

Library gdi32.dll:

• 0x40b178 CreateFontIndirectA

Library shell32.dll:

• 0x40b180 ShellExecuteA

Library shlwapi.dll:

• 0x40b188 PathMatchSpecA

Library user32.dll:

• 0x40b190 EndPaint

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.