SmartHawk

18.4

0-day

58 个模型检测该样本为恶意！

重新分析

下载样本

61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4

f1bee8af811ef6353430fc5ac6f09f98.exe

分析耗时

130s

最近分析

文件大小

73.5KB

静态报毒动态报毒 100% AGENTWDCR AI SCORE=100 AIDETECTVM ANDROM BSCOPE CONFIDENCE CWALL DELSHAD ECTY FILECODER FJGEA FXPDRM HIGH CONFIDENCE KTSE MAILTO MALWARE1 MALWARE@#2VJ0VQAF1LOUK NEMTY NETWALKER S + MAL SASG SCORE SKEEYAH SMTHA SUSPICIOUS PE TROJANPSW UNSAFE XNO28S XPACK 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/DelShad.34740867	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200922	2013.8.14.323
McAfee	Ransom-CWall!F1BEE8AF811E	20200922	6.0.6.653
Tencent	Win32.Trojan.Delshad.Ecty	20200922	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620021694.898249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620021694.945249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620021694.976249 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620021694.632249 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620021266.120772 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2034089529&cup2hreq=b58f88f1f147c57db1e6d949e9b82fc9d0f0b76a1cad1392b4b274944ec389ab

Performs some HTTP requests (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2034089529&cup2hreq=b58f88f1f147c57db1e6d949e9b82fc9d0f0b76a1cad1392b4b274944ec389ab

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2034089529&cup2hreq=b58f88f1f147c57db1e6d949e9b82fc9d0f0b76a1cad1392b4b274944ec389ab

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620021694.632249 NtProtectVirtualMemory	process_identifier: 1436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02580000	success	0	0

Creates (office) documents on the filesystem (4 个事件)

file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\Documents\kdtDcVbcZAEDAZ.pptx
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\Documents\FPdtaANQcZ.docx
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\Documents\gumdklvsJK.docm
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\Documents\uaHSFQByGzo.doc

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f1bee8af811ef6353430fc5ac6f09f98.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.922050158845668

section

{'size_of_data': '0x00000e00', 'virtual_address': '0x00014000', 'entropy': 7.922050158845668, 'name': '.rsrc', 'virtual_size': '0x00000de8'}

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)

Time & API	Arguments	Status	Return
1620021694.445249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620021695.023626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620021266.088772 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620021694.085249 NtTerminateProcess	status_code: 0x00000000 process_identifier: 732 process_handle: 0x0000010c	failed	0	0
1620021694.085249 NtTerminateProcess	status_code: 0x00000000 process_identifier: 732 process_handle: 0x0000010c	success	0	0

One or more of the buffers contains an embedded PE file (2 个事件)

buffer	Buffer with sha1: 0e6dbf22a95ab7972115645f4a52091bffef7a6d
buffer	Buffer with sha1: d8e27bfbf73fe531229f199f3ce4414d1875b5b9

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\524b64b3d7

reg_value

C:\Program Files (x86)\524b64b3d7\524b64b3d7.exe

Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)

file	C:\Python27\agent.pyw

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 called NtSetContextThread to modify thread in remote process 1436
Process injection	Process 1436 called NtSetContextThread to modify thread in remote process 1912
1619999685.884822 NtSetContextThread	thread_handle: 0x00000098 registers.eip: 1052480 registers.esp: 786120 registers.edi: 0 registers.eax: 13438714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1436	success	0	0
1620021694.398249 NtSetContextThread	thread_handle: 0x00000110 registers.eip: 1052320 registers.esp: 2423516 registers.edi: 0 registers.eax: 13438714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1912	success	0	0

Writes a potential ransom message to disk (50 out of 130 个事件)

Time & API	Arguments	Status
1620021695.226249 NtWriteFile	file_handle: 0x000001cc filepath: C:\Python27\DLLs\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021695.335249 NtWriteFile	file_handle: 0x000001cc filepath: C:\Python27\Doc\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021698.570249 NtWriteFile	file_handle: 0x00000284 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Contacts\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021699.663249 NtWriteFile	file_handle: 0x00000284 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Documents\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021699.867249 NtWriteFile	file_handle: 0x000001cc filepath: C:\Python27\include\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021700.929249 NtWriteFile	file_handle: 0x000001e4 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\Links\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021701.835249 NtWriteFile	file_handle: 0x00000294 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\Links for 中国\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021702.382249 NtWriteFile	file_handle: 0x00000294 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\Microsoft 网站\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021702.960249 NtWriteFile	file_handle: 0x000001e4 filepath: C:\Python27\Lib\bsddb\test\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021702.992249 NtWriteFile	file_handle: 0x00000284 filepath: C:\Python27\Lib\bsddb\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021703.023249 NtWriteFile	file_handle: 0x0000028c filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\MSN 网站\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021703.460249 NtWriteFile	file_handle: 0x0000028c filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\Windows Live\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021703.476249 NtWriteFile	file_handle: 0x00000288 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Favorites\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021703.976249 NtWriteFile	file_handle: 0x00000288 filepath: C:\Python27\Lib\compiler\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021704.007249 NtWriteFile	file_handle: 0x000001e4 filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\Searches\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021704.085249 NtWriteFile	file_handle: 0x0000027c filepath: \Device\Mup\OSKAR-PC\Users\Administrator.Oskar-PC\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021704.570249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\ctypes\macholib\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021705.023249 NtWriteFile	file_handle: 0x000001f0 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021705.788249 NtWriteFile	file_handle: 0x000001f0 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\zh-CN_en-US\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021705.788249 NtWriteFile	file_handle: 0x00000248 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.007249 NtWriteFile	file_handle: 0x00000284 filepath: C:\ProgramData\Microsoft\Assistance\Client\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.023249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Assistance\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.179249 NtWriteFile	file_handle: 0x00000248 filepath: C:\ProgramData\Microsoft\Crypto\Keys\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.523249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\ctypes\test\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.523249 NtWriteFile	file_handle: 0x000002a4 filepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.554249 NtWriteFile	file_handle: 0x00000248 filepath: C:\ProgramData\Microsoft\Crypto\RSA\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.554249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Crypto\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021706.851249 NtWriteFile	file_handle: 0x0000029c filepath: C:\Python27\Lib\ctypes\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021707.054249 NtWriteFile	file_handle: 0x0000029c filepath: C:\Python27\Lib\curses\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021707.117249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\IlsCache\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021707.288249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\MF\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021707.538249 NtWriteFile	file_handle: 0x0000029c filepath: C:\ProgramData\Microsoft\RAC\StateData\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021707.617249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\RAC\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021708.554249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\User Account Pictures\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021708.617249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\distutils\command\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021711.226249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\distutils\tests\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021711.492249 NtWriteFile	file_handle: 0x00000284 filepath: C:\Python27\Lib\distutils\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021712.570249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\email\mime\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021714.210249 NtWriteFile	file_handle: 0x000002a4 filepath: C:\Python27\Lib\email\test\data\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021714.429249 NtWriteFile	file_handle: 0x000002a0 filepath: C:\Python27\Lib\email\test\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021714.617249 NtWriteFile	file_handle: 0x00000284 filepath: C:\Python27\Lib\email\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021715.757249 NtWriteFile	file_handle: 0x00000248 filepath: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021715.757249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Vault\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021716.382249 NtWriteFile	file_handle: 0x00000248 filepath: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021716.398249 NtWriteFile	file_handle: 0x00000298 filepath: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021716.695249 NtWriteFile	file_handle: 0x00000298 filepath: C:\ProgramData\Microsoft\Windows Defender\Support\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021716.710249 NtWriteFile	file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Windows Defender\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021716.960249 NtWriteFile	file_handle: 0x0000028c filepath: C:\ProgramData\Microsoft\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021717.007249 NtWriteFile	file_handle: 0x0000028c filepath: C:\ProgramData\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success
1620021718.695249 NtWriteFile	file_handle: 0x00000294 filepath: \Device\Mup\OSKAR-PC\Users\Default\524B64-Readme.txt buffer: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 524b64. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_524b64:EQAAADUyNEI2NC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjUyNGI2NBbhG68CV/NWihoP2Qz2T19i QIvVLHHXmqXbnn2ii4jAju8aNXDbnQJ3jXjXKEs79vwTYWCz20 JYLR8OQmBlhXOk6ZRrBPXKi5AuwUwhbYh1UsDouBGD7N1jQBX+ D2rmIUgnkf7TwENSTgjfqR1iMbI=} offset: 0	success

Created a process named as a common system process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619999685.853822 CreateProcessInternalW	thread_identifier: 2316 thread_handle: 0x00000098 process_identifier: 1436 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 67108898 (CREATE_DEFAULT_ERROR_MODE\|DEBUG_ONLY_THIS_PROCESS\|NORMAL_PRIORITY_CLASS) process_handle: 0x00000094 inherit_handles: 0	success	1	0
1620021694.382249 CreateProcessInternalW	thread_identifier: 2536 thread_handle: 0x00000110 process_identifier: 1912 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 67108898 (CREATE_DEFAULT_ERROR_MODE\|DEBUG_ONLY_THIS_PROCESS\|NORMAL_PRIORITY_CLASS) process_handle: 0x00000114 inherit_handles: 0	success	1	0

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Detects VirtualBox through the presence of a device (2 个事件)

file	\??\VBoxGuest
file	\??\VBoxMiniRdrDN

Detects VirtualBox through the presence of a file (1 个事件)

dll	C:\Windows\system32\VBoxMRXNP.dll

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.78:443

Executed a process and injected code into it, probably while unpacking (9 个事件)

Time & API	Arguments	Status	Return
1619999685.853822 CreateProcessInternalW	thread_identifier: 2316 thread_handle: 0x00000098 process_identifier: 1436 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 67108898 (CREATE_DEFAULT_ERROR_MODE\|DEBUG_ONLY_THIS_PROCESS\|NORMAL_PRIORITY_CLASS) process_handle: 0x00000094 inherit_handles: 0	success	1
1619999685.884822 NtMapViewOfSection	section_handle: 0x000000ac process_identifier: 1436 commit_size: 90112 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000094 allocation_type: 0 () section_offset: 0 view_size: 90112 base_address: 0x000f0000	success	0
1619999685.884822 NtGetContextThread	thread_handle: 0x00000098	success	0
1619999685.884822 NtSetContextThread	thread_handle: 0x00000098 registers.eip: 1052480 registers.esp: 786120 registers.edi: 0 registers.eax: 13438714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1436	success	0
1620021694.382249 CreateProcessInternalW	thread_identifier: 2536 thread_handle: 0x00000110 process_identifier: 1912 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 67108898 (CREATE_DEFAULT_ERROR_MODE\|DEBUG_ONLY_THIS_PROCESS\|NORMAL_PRIORITY_CLASS) process_handle: 0x00000114 inherit_handles: 0	success	1
1620021694.382249 NtMapViewOfSection	section_handle: 0x00000124 process_identifier: 1912 commit_size: 90112 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000114 allocation_type: 0 () section_offset: 0 view_size: 90112 base_address: 0x000f0000	success	0
1620021694.398249 NtGetContextThread	thread_handle: 0x00000110	success	0
1620021694.398249 NtSetContextThread	thread_handle: 0x00000110 registers.eip: 1052320 registers.esp: 2423516 registers.edi: 0 registers.eax: 13438714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1912	success	0
1620021694.992626 CreateProcessInternalW	thread_identifier: 2772 thread_handle: 0x00000108 process_identifier: 2636 current_directory: filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 0 () process_handle: 0x00000104 inherit_handles: 0	success	1

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Encoder.29451
MicroWorld-eScan	Trojan.AgentWDCR.UOI
FireEye	Generic.mg.f1bee8af811ef635
CAT-QuickHeal	Ransom.Mailto.P5
ALYac	Trojan.Ransom.Filecoder
Cylance	Unsafe
Zillya	Trojan.Filecoder.Win32.10385
Sangfor	Malware
K7AntiVirus	Trojan ( 005573071 )
Alibaba	Trojan:Win32/DelShad.34740867
K7GW	Trojan ( 005573071 )
Cybereason	malicious.f811ef
Arcabit	Trojan.AgentWDCR.UOI
Invincea	Mal/Generic-S + Mal/Generic-L
BitDefenderTheta	AI:Packer.650A6A911E
Cyren	W32/Trojan.SASG-3157
Symantec	Downloader
ESET-NOD32	Win32/Filecoder.NetWalker.A
Zoner	Trojan.Win32.84001
TrendMicro-HouseCall	Ransom.Win32.NEMTY.SMTHA
Paloalto	generic.ml
Kaspersky	Trojan.Win32.DelShad.aps
BitDefender	Trojan.AgentWDCR.UOI
NANO-Antivirus	Trojan.Win32.Filecoder.fxpdrm
Rising	Ransom.Mailto!1.BC36 (KTSE)
Ad-Aware	Trojan.AgentWDCR.UOI
Emsisoft	Trojan.AgentWDCR.UOI (B)
Comodo	Malware@#2vj0vqaf1louk
F-Secure	Trojan.TR/Crypt.XPACK.YC
VIPRE	Win32.Malware!Drop
TrendMicro	Ransom.Win32.NEMTY.SMTHA
McAfee-GW-Edition	BehavesLike.Win32.Generic.lh
Sophos	Mal/Generic-L
Ikarus	Trojan-Ransom.NetWalker
Jiangmin	Trojan.Generic.fjgea
Webroot	W32.Malware.Gen
Avira	TR/Crypt.XPACK.YC
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Microsoft	Trojan:Win32/Skeeyah.A!MTB
AegisLab	Trojan.Win32.DelShad.4!c
ZoneAlarm	Trojan.Win32.DelShad.aps
GData	Win32.Trojan.Agent.XNO28S
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ransom.C3464078
McAfee	Ransom-CWall!F1BEE8AF811E
MAX	malware (ai score=100)
VBA32	BScope.TrojanPSW.Spy
APEX	Malicious

Performs 1899 file moves indicative of a ransomware file encryption process (50 out of 1899 个事件)

Time & API	Arguments	Status	Return
1620021694.695249 MoveFileWithProgressW	oldfilepath: C:\Python27\agent.pyw newfilepath: C:\Python27\agent.pyw.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\agent.pyw.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\agent.pyw	success	1
1620021694.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\unicodedata.pyd newfilepath: C:\Python27\DLLs\unicodedata.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\unicodedata.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\unicodedata.pyd	success	1
1620021694.804249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\winsound.pyd newfilepath: C:\Python27\DLLs\winsound.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\winsound.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\winsound.pyd	success	1
1620021694.898249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_bsddb.pyd newfilepath: C:\Python27\DLLs\_bsddb.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_bsddb.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_bsddb.pyd	success	1
1620021694.945249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd	success	1
1620021694.992249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_elementtree.pyd newfilepath: C:\Python27\DLLs\_elementtree.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_elementtree.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_elementtree.pyd	success	1
1620021695.038249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_msi.pyd newfilepath: C:\Python27\DLLs\_msi.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_msi.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_msi.pyd	success	1
1620021695.070249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd	success	1
1620021695.132249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_sqlite3.pyd newfilepath: C:\Python27\DLLs\_sqlite3.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_sqlite3.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_sqlite3.pyd	success	1
1620021695.163249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_testcapi.pyd newfilepath: C:\Python27\DLLs\_testcapi.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_testcapi.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_testcapi.pyd	success	1
1620021695.226249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_tkinter.pyd newfilepath: C:\Python27\DLLs\_tkinter.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_tkinter.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_tkinter.pyd	success	1
1620021695.304249 MoveFileWithProgressW	oldfilepath: C:\Python27\Doc\python2718.chm newfilepath: C:\Python27\Doc\python2718.chm.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\Doc\python2718.chm.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\Doc\python2718.chm	success	1
1620021695.429249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\abstract.h newfilepath: C:\Python27\include\abstract.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\abstract.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\abstract.h	success	1
1620021695.445249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\asdl.h newfilepath: C:\Python27\include\asdl.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\asdl.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\asdl.h	success	1
1620021695.492249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\ast.h newfilepath: C:\Python27\include\ast.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\ast.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\ast.h	success	1
1620021695.538249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bitset.h newfilepath: C:\Python27\include\bitset.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bitset.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bitset.h	success	1
1620021695.570249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\boolobject.h newfilepath: C:\Python27\include\boolobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\boolobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\boolobject.h	success	1
1620021695.601249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bufferobject.h newfilepath: C:\Python27\include\bufferobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bufferobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bufferobject.h	success	1
1620021695.617249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytearrayobject.h newfilepath: C:\Python27\include\bytearrayobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytearrayobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytearrayobject.h	success	1
1620021695.648249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytesobject.h newfilepath: C:\Python27\include\bytesobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytesobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytesobject.h	success	1
1620021695.663249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytes_methods.h newfilepath: C:\Python27\include\bytes_methods.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytes_methods.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytes_methods.h	success	1
1620021695.695249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cellobject.h newfilepath: C:\Python27\include\cellobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cellobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cellobject.h	success	1
1620021695.726249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\ceval.h newfilepath: C:\Python27\include\ceval.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\ceval.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\ceval.h	success	1
1620021695.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\classobject.h newfilepath: C:\Python27\include\classobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\classobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\classobject.h	success	1
1620021695.804249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cobject.h newfilepath: C:\Python27\include\cobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cobject.h	success	1
1620021695.820249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\code.h newfilepath: C:\Python27\include\code.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\code.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\code.h	success	1
1620021695.835249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\codecs.h newfilepath: C:\Python27\include\codecs.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\codecs.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\codecs.h	success	1
1620021695.992249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\compile.h newfilepath: C:\Python27\include\compile.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\compile.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\compile.h	success	1
1620021696.023249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\complexobject.h newfilepath: C:\Python27\include\complexobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\complexobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\complexobject.h	success	1
1620021696.038249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cStringIO.h newfilepath: C:\Python27\include\cStringIO.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cStringIO.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cStringIO.h	success	1
1620021696.070249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\datetime.h newfilepath: C:\Python27\include\datetime.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\datetime.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\datetime.h	success	1
1620021696.117249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\descrobject.h newfilepath: C:\Python27\include\descrobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\descrobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\descrobject.h	success	1
1620021696.163249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\dictobject.h newfilepath: C:\Python27\include\dictobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\dictobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\dictobject.h	success	1
1620021696.195249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\dtoa.h newfilepath: C:\Python27\include\dtoa.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\dtoa.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\dtoa.h	success	1
1620021696.210249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\enumobject.h newfilepath: C:\Python27\include\enumobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\enumobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\enumobject.h	success	1
1620021696.226249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\errcode.h newfilepath: C:\Python27\include\errcode.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\errcode.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\errcode.h	success	1
1620021696.382249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\eval.h newfilepath: C:\Python27\include\eval.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\eval.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\eval.h	success	1
1620021696.413249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\fileobject.h newfilepath: C:\Python27\include\fileobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\fileobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\fileobject.h	success	1
1620021696.445249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\floatobject.h newfilepath: C:\Python27\include\floatobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\floatobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\floatobject.h	success	1
1620021696.460249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\frameobject.h newfilepath: C:\Python27\include\frameobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\frameobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\frameobject.h	success	1
1620021696.507249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\funcobject.h newfilepath: C:\Python27\include\funcobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\funcobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\funcobject.h	success	1
1620021696.554249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\genobject.h newfilepath: C:\Python27\include\genobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\genobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\genobject.h	success	1
1620021696.585249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\graminit.h newfilepath: C:\Python27\include\graminit.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\graminit.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\graminit.h	success	1
1620021696.632249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\grammar.h newfilepath: C:\Python27\include\grammar.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\grammar.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\grammar.h	success	1
1620021696.663249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\import.h newfilepath: C:\Python27\include\import.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\import.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\import.h	success	1
1620021696.757249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\intobject.h newfilepath: C:\Python27\include\intobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\intobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\intobject.h	success	1
1620021696.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\intrcheck.h newfilepath: C:\Python27\include\intrcheck.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\intrcheck.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\intrcheck.h	success	1
1620021696.851249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\iterobject.h newfilepath: C:\Python27\include\iterobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\iterobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\iterobject.h	success	1
1620021696.867249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\listobject.h newfilepath: C:\Python27\include\listobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\listobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\listobject.h	success	1
1620021696.960249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\longintrepr.h newfilepath: C:\Python27\include\longintrepr.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\longintrepr.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\longintrepr.h	success	1

Appends a new file extension or content to 1899 files indicative of a ransomware file encryption process (50 out of 1899 个事件)

Time & API	Arguments	Status	Return
1620021694.695249 MoveFileWithProgressW	oldfilepath: C:\Python27\agent.pyw newfilepath: C:\Python27\agent.pyw.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\agent.pyw.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\agent.pyw	success	1
1620021694.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\unicodedata.pyd newfilepath: C:\Python27\DLLs\unicodedata.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\unicodedata.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\unicodedata.pyd	success	1
1620021694.804249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\winsound.pyd newfilepath: C:\Python27\DLLs\winsound.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\winsound.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\winsound.pyd	success	1
1620021694.898249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_bsddb.pyd newfilepath: C:\Python27\DLLs\_bsddb.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_bsddb.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_bsddb.pyd	success	1
1620021694.945249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd	success	1
1620021694.992249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_elementtree.pyd newfilepath: C:\Python27\DLLs\_elementtree.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_elementtree.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_elementtree.pyd	success	1
1620021695.038249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_msi.pyd newfilepath: C:\Python27\DLLs\_msi.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_msi.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_msi.pyd	success	1
1620021695.070249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd	success	1
1620021695.132249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_sqlite3.pyd newfilepath: C:\Python27\DLLs\_sqlite3.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_sqlite3.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_sqlite3.pyd	success	1
1620021695.163249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_testcapi.pyd newfilepath: C:\Python27\DLLs\_testcapi.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_testcapi.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_testcapi.pyd	success	1
1620021695.226249 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_tkinter.pyd newfilepath: C:\Python27\DLLs\_tkinter.pyd.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\DLLs\_tkinter.pyd.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\DLLs\_tkinter.pyd	success	1
1620021695.304249 MoveFileWithProgressW	oldfilepath: C:\Python27\Doc\python2718.chm newfilepath: C:\Python27\Doc\python2718.chm.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\Doc\python2718.chm.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\Doc\python2718.chm	success	1
1620021695.429249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\abstract.h newfilepath: C:\Python27\include\abstract.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\abstract.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\abstract.h	success	1
1620021695.445249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\asdl.h newfilepath: C:\Python27\include\asdl.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\asdl.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\asdl.h	success	1
1620021695.492249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\ast.h newfilepath: C:\Python27\include\ast.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\ast.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\ast.h	success	1
1620021695.538249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bitset.h newfilepath: C:\Python27\include\bitset.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bitset.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bitset.h	success	1
1620021695.570249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\boolobject.h newfilepath: C:\Python27\include\boolobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\boolobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\boolobject.h	success	1
1620021695.601249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bufferobject.h newfilepath: C:\Python27\include\bufferobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bufferobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bufferobject.h	success	1
1620021695.617249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytearrayobject.h newfilepath: C:\Python27\include\bytearrayobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytearrayobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytearrayobject.h	success	1
1620021695.648249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytesobject.h newfilepath: C:\Python27\include\bytesobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytesobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytesobject.h	success	1
1620021695.663249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\bytes_methods.h newfilepath: C:\Python27\include\bytes_methods.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\bytes_methods.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\bytes_methods.h	success	1
1620021695.695249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cellobject.h newfilepath: C:\Python27\include\cellobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cellobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cellobject.h	success	1
1620021695.726249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\ceval.h newfilepath: C:\Python27\include\ceval.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\ceval.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\ceval.h	success	1
1620021695.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\classobject.h newfilepath: C:\Python27\include\classobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\classobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\classobject.h	success	1
1620021695.804249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cobject.h newfilepath: C:\Python27\include\cobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cobject.h	success	1
1620021695.820249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\code.h newfilepath: C:\Python27\include\code.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\code.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\code.h	success	1
1620021695.835249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\codecs.h newfilepath: C:\Python27\include\codecs.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\codecs.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\codecs.h	success	1
1620021695.992249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\compile.h newfilepath: C:\Python27\include\compile.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\compile.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\compile.h	success	1
1620021696.023249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\complexobject.h newfilepath: C:\Python27\include\complexobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\complexobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\complexobject.h	success	1
1620021696.038249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\cStringIO.h newfilepath: C:\Python27\include\cStringIO.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\cStringIO.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\cStringIO.h	success	1
1620021696.070249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\datetime.h newfilepath: C:\Python27\include\datetime.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\datetime.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\datetime.h	success	1
1620021696.117249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\descrobject.h newfilepath: C:\Python27\include\descrobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\descrobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\descrobject.h	success	1
1620021696.163249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\dictobject.h newfilepath: C:\Python27\include\dictobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\dictobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\dictobject.h	success	1
1620021696.195249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\dtoa.h newfilepath: C:\Python27\include\dtoa.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\dtoa.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\dtoa.h	success	1
1620021696.210249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\enumobject.h newfilepath: C:\Python27\include\enumobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\enumobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\enumobject.h	success	1
1620021696.226249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\errcode.h newfilepath: C:\Python27\include\errcode.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\errcode.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\errcode.h	success	1
1620021696.382249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\eval.h newfilepath: C:\Python27\include\eval.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\eval.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\eval.h	success	1
1620021696.413249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\fileobject.h newfilepath: C:\Python27\include\fileobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\fileobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\fileobject.h	success	1
1620021696.445249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\floatobject.h newfilepath: C:\Python27\include\floatobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\floatobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\floatobject.h	success	1
1620021696.460249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\frameobject.h newfilepath: C:\Python27\include\frameobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\frameobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\frameobject.h	success	1
1620021696.507249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\funcobject.h newfilepath: C:\Python27\include\funcobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\funcobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\funcobject.h	success	1
1620021696.554249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\genobject.h newfilepath: C:\Python27\include\genobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\genobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\genobject.h	success	1
1620021696.585249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\graminit.h newfilepath: C:\Python27\include\graminit.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\graminit.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\graminit.h	success	1
1620021696.632249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\grammar.h newfilepath: C:\Python27\include\grammar.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\grammar.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\grammar.h	success	1
1620021696.663249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\import.h newfilepath: C:\Python27\include\import.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\import.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\import.h	success	1
1620021696.757249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\intobject.h newfilepath: C:\Python27\include\intobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\intobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\intobject.h	success	1
1620021696.788249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\intrcheck.h newfilepath: C:\Python27\include\intrcheck.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\intrcheck.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\intrcheck.h	success	1
1620021696.851249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\iterobject.h newfilepath: C:\Python27\include\iterobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\iterobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\iterobject.h	success	1
1620021696.867249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\listobject.h newfilepath: C:\Python27\include\listobject.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\listobject.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\listobject.h	success	1
1620021696.960249 MoveFileWithProgressW	oldfilepath: C:\Python27\include\longintrepr.h newfilepath: C:\Python27\include\longintrepr.h.mailto[kokoklock@cock.li].524b64 newfilepath_r: C:\Python27\include\longintrepr.h.mailto[kokoklock@cock.li].524b64 flags: 2 oldfilepath_r: C:\Python27\include\longintrepr.h	success	1

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-08-28 23:50:41

Imports

Library KERNEL32.dll:

• 0x412000 OutputDebugStringA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
redirector.gvt1.com		203.208.41.65
update.googleapis.com	A 203.208.40.98	203.208.40.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49183	192.168.56.1	139
192.168.56.101	49184	192.168.56.1	139
192.168.56.101	49186	192.168.56.1	139
192.168.56.101	49194	192.168.56.1	445
192.168.56.101	50478	203.208.40.98 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.1	137	192.168.56.101	137
192.168.56.1	138	192.168.56.101	138
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.