diff --git a/README.md b/README.md
index 6e4ec413..ac9d94d3 100644
--- a/README.md
+++ b/README.md
@@ -1,20 +1,28 @@
-# sysmon-config | A Sysmon configuration file for everybody to fork #
+# sysmon-config | A ransomware focused Sysmon configuration file #
 
-This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
+This is a Microsoft Sysinternals Sysmon configuration file template with
+default high-quality event tracing. This is a fork of
+[SwiftOnSecurity](https://twitter.com/SwiftOnSecurity/)'s awesome
+[sysmon-config](https://github.com/SwiftOnSecurity/sysmon-config), with an
+additional focus on ransomware artifacts.
 
-The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.
+## Reasoning ##
 
-      **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**
+Ransomware commonly encrypt documents and other files, often renaming them with
+deterministic file names and extensions in the process. In addition, they
+create instructions in the forms of text files, images or executables detailing
+how to restore these files (often in the form of payment). Monitoring for files
+that match these ransomware artifacts may provide security teams with early
+warnings of a ransomware outbreak.
 
-Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems.
+It is strongly suggested that you configure your SIEM or alerting system when
+there is a large number of Sysmon Event Code 11 (File Creation or Overwrites)
+events that match file names or extensions commonly associated with ransomware.
 
-- For a far more exhaustive and detailed approach to Sysmon configuration from a different approach, see also **[sysmon-modular](https://github.com/olafhartong/sysmon-modular)** by [@olafhartong](https://twitter.com/olafhartong), which can act as a superset of sysmon-config.
-
-- Sysmon is a compliment to native Windows logging abilities, not a replacement for it. For valuable advice on these configurations, see **[MalwareArchaeology Logging Cheat Sheets](https://www.malwarearchaeology.com/cheat-sheets)** by [@HackerHurricane](https://twitter.com/hackerhurricane).
-
-Note: Exact syntax and filtering choices in the configuration are highly deliberate in what they target, and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of paths. 
-
-      **[See other forks of this configuration](https://github.com/SwiftOnSecurity/sysmon-config/network)**
+**N.B.** There are some ransomware variants that do not rename file extensions,
+or use completely random extensions, which will not be detected by this
+Sysmon configuration. Use your judgment, apply appropriate Anti-Virus and
+other controls, practice defense-in-depth.
 
 ## Use ##
 ### Install ###
@@ -35,15 +43,8 @@ Run with administrator rights
 sysmon.exe -u
 ~~~~
 
-## Required actions ##
-
-### Prerequisites ###
-Highly recommend using [Notepad++](https://notepad-plus-plus.org/) to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe.
-
-### Customization ###
-You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.
-
-The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment.
+## Thanks ##
 
-### Design notes ###
-This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions.
+Thanks to [SwiftOnSecurity](https://twitter.com/SwiftOnSecurity/) for their well
+documented Sysmon configuration, and mark Russinovich and Thomas Garnier for
+developing Sysmon.
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f4acf26c..fd91976f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4,10 +4,10 @@
   Source project:	https://github.com/SwiftOnSecurity/sysmon-config
   Source license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  Fork version:	<N/A>
-  Fork author:	<N/A>
-  Fork project:	<N/A>
-  Fork license:	<N/A>
+  Fork version:	1.0
+  Fork author:	Simon Duff (@sduff)
+  Fork project: https://github.com/sduff/sysmon-config
+  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
   REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes)
 	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
@@ -515,6 +515,485 @@
 			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
 			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
 			<TargetFilename condition="end with">.rtf</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
+			<!-- Ransomare can leave notes on the filesystem, explaining their recovery process | Credit: @sduff -->
+			<TargetFilename condition="contains">decrypt all files</TargetFilename>
+			<TargetFilename condition="contains">_h_e_l_p_recover_instructions</TargetFilename>
+			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename condition="contains">how_recover</TargetFilename>
+			<TargetFilename condition="contains">@please_read_me@</TargetFilename>
+			<TargetFilename condition="contains">-read-for-hellpp.html</TargetFilename>
+			<TargetFilename condition="contains">readme_decrypt_hydra_id_</TargetFilename>
+			<TargetFilename condition="contains">readme_decrypt_umbre_id_</TargetFilename>
+			<TargetFilename condition="contains">recover_files_</TargetFilename>
+			<TargetFilename condition="contains">recover_file_</TargetFilename>
+			<TargetFilename condition="contains">recovery_file_</TargetFilename>
+			<TargetFilename condition="contains">recovery</TargetFilename>
+			<TargetFilename condition="contains">-sorry-for-files.html</TargetFilename>
+			<TargetFilename condition="contains">@wanadecryptor@.exe</TargetFilename>
+			<TargetFilename condition="end with">about_files.txt</TargetFilename>
+			<TargetFilename condition="end with">allfilesarelocked_.bmp</TargetFilename>
+			<TargetFilename condition="end with">attention.rtf</TargetFilename>
+			<TargetFilename condition="end with">bitcryptorfilelist.txt</TargetFilename>
+			<TargetFilename condition="end with">bleepedfiles.txt</TargetFilename>
+			<TargetFilename condition="end with">buyunlockcode</TargetFilename>
+			<TargetFilename condition="end with">coin.locker.txt</TargetFilename>
+			<TargetFilename condition="end with">cryptinfo.txt</TargetFilename>
+			<TargetFilename condition="end with">cryptlogfile.txt</TargetFilename>
+			<TargetFilename condition="end with">decrypt all files *.bmp</TargetFilename>
+			<TargetFilename condition="end with">decryptallfiles.txt</TargetFilename>
+			<TargetFilename condition="end with">decryptallfiles_.txt</TargetFilename>
+			<TargetFilename condition="end with">decrypt_instructions.html</TargetFilename>
+			<TargetFilename condition="end with">decrypt_instructions.txt</TargetFilename>
+			<TargetFilename condition="end with">decrypt_instruction.txt</TargetFilename>
+			<TargetFilename condition="end with"># decrypt my files #.html</TargetFilename>
+			<TargetFilename condition="end with"># decrypt my files #.txt</TargetFilename>
+			<TargetFilename condition="end with"># decrypt my files #.vbs</TargetFilename>
+			<TargetFilename condition="end with">decrypt_readme.txt.readme</TargetFilename>
+			<TargetFilename condition="end with">decrypt_readme.txt</TargetFilename>
+			<TargetFilename condition="end with">decrypt_your_files.html</TargetFilename>
+			<TargetFilename condition="end with">encryptor_raas_readme_liesmich.txt</TargetFilename>
+			<TargetFilename condition="end with">exit.hhr.obleep</TargetFilename>
+			<TargetFilename condition="end with">filesaregone.txt</TargetFilename>
+			<TargetFilename condition="end with">getyoufiles.txt</TargetFilename>
+			<TargetFilename condition="end with">hellothere.txt</TargetFilename>
+			<TargetFilename condition="end with">help_decrypt.txt</TargetFilename>
+			<TargetFilename condition="end with">help_decrypt_your_files.html</TargetFilename>
+			<TargetFilename condition="end with">help_decyprt_your_files.html</TargetFilename>
+			<TargetFilename condition="end with">*-help_for_decrypt_file.html</TargetFilename>
+			<TargetFilename condition="end with">help recover files.txt</TargetFilename>
+			<TargetFilename condition="end with">help_recover_files.txt</TargetFilename>
+			<TargetFilename condition="end with">help_restore_files.txt</TargetFilename>
+			<TargetFilename condition="end with">help_to_decrypt_your_files.txt</TargetFilename>
+			<TargetFilename condition="end with">help_to_save_files.txt</TargetFilename>
+			<TargetFilename condition="end with">help_yourfiles.html</TargetFilename>
+			<TargetFilename condition="end with">help_your_files.txt</TargetFilename>
+			<TargetFilename condition="end with">howdecrypt.gif</TargetFilename>
+			<TargetFilename condition="end with">how_decrypt.txt</TargetFilename>
+			<TargetFilename condition="end with">_how_recover_.txt</TargetFilename>
+			<TargetFilename condition="end with">how to decrypt files.html</TargetFilename>
+			<TargetFilename condition="end with">how-to-decrypt-files.html</TargetFilename>
+			<TargetFilename condition="end with">how to decrypt files.txt</TargetFilename>
+			<TargetFilename condition="end with">how_to_decrypt_files.txt</TargetFilename>
+			<TargetFilename condition="end with">how_to_decrypt.html</TargetFilename>
+			<TargetFilename condition="end with">how to get data.txt</TargetFilename>
+			<TargetFilename condition="end with">how_to_recover_files.txt</TargetFilename>
+			<TargetFilename condition="end with">howto_recover_file_.txt</TargetFilename>
+			<TargetFilename condition="end with">how_to_restore_files.txt</TargetFilename>
+			<TargetFilename condition="end with">howto_restore_files.txt</TargetFilename>
+			<TargetFilename condition="end with">howto_restore_files_.txt</TargetFilename>
+			<TargetFilename condition="end with">iamreadytopay.txt</TargetFilename>
+			<TargetFilename condition="end with">ihaveyoursecret.key</TargetFilename>
+			<TargetFilename condition="end with">important read me.txt</TargetFilename>
+			<TargetFilename condition="end with">kryptolocker_readme.txt</TargetFilename>
+			<TargetFilename condition="end with">_locky_recover_instructions.txt</TargetFilename>
+			<TargetFilename condition="end with">nefilim-decrypt.txt</TargetFilename>
+			<TargetFilename condition="end with">qwer2.html</TargetFilename>
+			<TargetFilename condition="end with">qwer.html</TargetFilename>
+			<TargetFilename condition="end with">readdecryptfileshere.txt</TargetFilename>
+			<TargetFilename condition="end with">read if you want your files back.html</TargetFilename>
+			<TargetFilename condition="end with">readme10.txt</TargetFilename>
+			<TargetFilename condition="end with">readme1.txt</TargetFilename>
+			<TargetFilename condition="end with">readme2.txt</TargetFilename>
+			<TargetFilename condition="end with">readme3.txt</TargetFilename>
+			<TargetFilename condition="end with">readme4.txt</TargetFilename>
+			<TargetFilename condition="end with">readme5.txt</TargetFilename>
+			<TargetFilename condition="end with">readme6.txt</TargetFilename>
+			<TargetFilename condition="end with">readme7.txt</TargetFilename>
+			<TargetFilename condition="end with">readme8.txt</TargetFilename>
+			<TargetFilename condition="end with">readme9.txt</TargetFilename>
+			<TargetFilename condition="end with">readme.txt</TargetFilename>
+			<TargetFilename condition="end with">readthisnow!!!.txt</TargetFilename>
+			<TargetFilename condition="end with">read.txt</TargetFilename>
+			<TargetFilename condition="end with">recovery_files.txt</TargetFilename>
+			<TargetFilename condition="end with">recovery_file.txt</TargetFilename>
+			<TargetFilename condition="end with">recovery_key.txt</TargetFilename>
+			<TargetFilename condition="end with">restore_files_.txt</TargetFilename>
+			<TargetFilename condition="end with">ryukreadme.html</TargetFilename>
+			<TargetFilename condition="end with">_secret_code.txt</TargetFilename>
+			<TargetFilename condition="end with">secretidhere.key</TargetFilename>
+			<TargetFilename condition="end with">secret.key</TargetFilename>
+			<TargetFilename condition="end with">unblockfiles.vbs</TargetFilename>
+			<TargetFilename condition="end with">your_files_are_encrypted.html</TargetFilename>
+			<TargetFilename condition="end with">your_files.html</TargetFilename>
+			<TargetFilename condition="end with">your_files.url</TargetFilename>
+			<!-- Ransomware can encrypt files, often renaming them in the process. These are common ransomware extensions | Credit: @sduff -->
+			<TargetFilename condition="contains">cpyt</TargetFilename>
+			<TargetFilename condition="contains">crypt</TargetFilename>
+			<TargetFilename condition="contains">darkness</TargetFilename>
+			<TargetFilename condition="contains">decipher</TargetFilename>
+			<TargetFilename condition="contains">enc</TargetFilename>
+			<TargetFilename condition="contains">exx</TargetFilename>
+			<TargetFilename condition="contains">@gmail_com_</TargetFilename>
+			<TargetFilename condition="contains">help_restore</TargetFilename>
+			<TargetFilename condition="contains">help_your_files</TargetFilename>
+			<TargetFilename condition="contains">how_to_recover</TargetFilename>
+			<TargetFilename condition="contains">.hydracrypt_id_</TargetFilename>
+			<TargetFilename condition="contains">@india.com</TargetFilename>
+			<TargetFilename condition="contains">install_tor</TargetFilename>
+			<TargetFilename condition="contains">keemail.me</TargetFilename>
+			<TargetFilename condition="contains">qq_com</TargetFilename>
+			<TargetFilename condition="contains">restore_fi</TargetFilename>
+			<TargetFilename condition="contains">ukr.net</TargetFilename>
+			<TargetFilename condition="contains">.unbrecrypt_id_</TargetFilename>
+			<TargetFilename condition="contains">want your files back</TargetFilename>
+			<TargetFilename condition="end with">.0x0</TargetFilename>
+			<TargetFilename condition="end with">.1999</TargetFilename>
+			<TargetFilename condition="end with">.1cbu1</TargetFilename>
+			<TargetFilename condition="end with">.1txt</TargetFilename>
+			<TargetFilename condition="end with">.73i87a</TargetFilename>
+			<TargetFilename condition="end with">.777</TargetFilename>
+			<TargetFilename condition="end with">.7h9r</TargetFilename>
+			<TargetFilename condition="end with">.8lock8</TargetFilename>
+			<TargetFilename condition="end with">.a5zfn</TargetFilename>
+			<TargetFilename condition="end with">.aaa</TargetFilename>
+			<TargetFilename condition="end with">.abc</TargetFilename>
+			<TargetFilename condition="end with">.adk</TargetFilename>
+			<TargetFilename condition="end with">.adr</TargetFilename>
+			<TargetFilename condition="end with">.aes256</TargetFilename>
+			<TargetFilename condition="end with">aes256</TargetFilename>
+			<TargetFilename condition="end with">.aesir</TargetFilename>
+			<TargetFilename condition="end with">.afd</TargetFilename>
+			<TargetFilename condition="end with">.aga</TargetFilename>
+			<TargetFilename condition="end with">._airacropencrypted</TargetFilename>
+			<TargetFilename condition="end with">.alcatraz</TargetFilename>
+			<TargetFilename condition="end with">.amba</TargetFilename>
+			<TargetFilename condition="end with">.angelamerkel</TargetFilename>
+			<TargetFilename condition="end with">.angleware</TargetFilename>
+			<TargetFilename condition="end with">.antihacker2017</TargetFilename>
+			<TargetFilename condition="end with">.areyoulovemyransfile</TargetFilename>
+			<TargetFilename condition="end with">.areyoulovemyrans</TargetFilename>
+			<TargetFilename condition="end with">.asier</TargetFilename>
+			<TargetFilename condition="end with">.atlas</TargetFilename>
+			<TargetFilename condition="end with">.axx</TargetFilename>
+			<TargetFilename condition="end with">.barrax</TargetFilename>
+			<TargetFilename condition="end with">.bart</TargetFilename>
+			<TargetFilename condition="end with">.bart.zip</TargetFilename>
+			<TargetFilename condition="end with">.better_call_saul</TargetFilename>
+			<TargetFilename condition="end with">.bin</TargetFilename>
+			<TargetFilename condition="end with">.bitstak</TargetFilename>
+			<TargetFilename condition="end with">.bleep</TargetFilename>
+			<TargetFilename condition="end with">.bleepyourfiles</TargetFilename>
+			<TargetFilename condition="end with">.blocatto</TargetFilename>
+			<TargetFilename condition="end with">.bloc</TargetFilename>
+			<TargetFilename condition="end with">.braincrypt</TargetFilename>
+			<TargetFilename condition="end with">.breaking_bad</TargetFilename>
+			<TargetFilename condition="end with">.breeding123</TargetFilename>
+			<TargetFilename condition="end with">.bript</TargetFilename>
+			<TargetFilename condition="end with">.btcbtcbtc</TargetFilename>
+			<TargetFilename condition="end with">.btc-help-you</TargetFilename>
+			<TargetFilename condition="end with">.btc</TargetFilename>
+			<TargetFilename condition="end with">.canihelpyou</TargetFilename>
+			<TargetFilename condition="end with">.cbf</TargetFilename>
+			<TargetFilename condition="end with">.cccrrrppp</TargetFilename>
+			<TargetFilename condition="end with">.ccc</TargetFilename>
+			<TargetFilename condition="end with">.cerber2</TargetFilename>
+			<TargetFilename condition="end with">.cerber3</TargetFilename>
+			<TargetFilename condition="end with">.cerber</TargetFilename>
+			<TargetFilename condition="end with">.checkdiskenced</TargetFilename>
+			<TargetFilename condition="end with">.chifrator@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.cifgksaffsfyghd</TargetFilename>
+			<TargetFilename condition="end with">.clf</TargetFilename>
+			<TargetFilename condition="end with">.coded</TargetFilename>
+			<TargetFilename condition="end with">.code</TargetFilename>
+			<TargetFilename condition="end with">.comrade</TargetFilename>
+			<TargetFilename condition="end with">.conficker</TargetFilename>
+			<TargetFilename condition="end with">.confirmation.key</TargetFilename>
+			<TargetFilename condition="end with">.country82000</TargetFilename>
+			<TargetFilename condition="end with">.coverton</TargetFilename>
+			<TargetFilename condition="end with">.crab</TargetFilename>
+			<TargetFilename condition="end with">.crashed</TargetFilename>
+			<TargetFilename condition="end with">.crime</TargetFilename>
+			<TargetFilename condition="end with">.crinf</TargetFilename>
+			<TargetFilename condition="end with">.criptiko</TargetFilename>
+			<TargetFilename condition="end with">.criptokod</TargetFilename>
+			<TargetFilename condition="end with">.criptoko</TargetFilename>
+			<TargetFilename condition="end with">.cripttt</TargetFilename>
+			<TargetFilename condition="end with">.crjocker</TargetFilename>
+			<TargetFilename condition="end with">.crjoker</TargetFilename>
+			<TargetFilename condition="end with">.crptrgr</TargetFilename>
+			<TargetFilename condition="end with">.crrrt</TargetFilename>
+			<TargetFilename condition="end with">.cryeye</TargetFilename>
+			<TargetFilename condition="end with">.cryp1</TargetFilename>
+			<TargetFilename condition="end with">.crypt38</TargetFilename>
+			<TargetFilename condition="end with">.crypted</TargetFilename>
+			<TargetFilename condition="end with">.crypte</TargetFilename>
+			<TargetFilename condition="end with">.cryptolocker</TargetFilename>
+			<TargetFilename condition="end with">.crypto</TargetFilename>
+			<TargetFilename condition="end with">crypto</TargetFilename>
+			<TargetFilename condition="end with">.cryptotorlocker2015!</TargetFilename>
+			<TargetFilename condition="end with">.cryptowall</TargetFilename>
+			<TargetFilename condition="end with">._crypt</TargetFilename>
+			<TargetFilename condition="end with">.crypt</TargetFilename>
+			<TargetFilename condition="end with">.cryptz</TargetFilename>
+			<TargetFilename condition="end with">.crypz</TargetFilename>
+			<TargetFilename condition="end with">.crysis</TargetFilename>
+			<TargetFilename condition="end with">.cry</TargetFilename>
+			<TargetFilename condition="end with">cry</TargetFilename>
+			<TargetFilename condition="end with">.ctb2</TargetFilename>
+			<TargetFilename condition="end with">.ctbl2</TargetFilename>
+			<TargetFilename condition="end with">.ctbl</TargetFilename>
+			<TargetFilename condition="end with">.czvxce</TargetFilename>
+			<TargetFilename condition="end with">.d4nk</TargetFilename>
+			<TargetFilename condition="end with">.dale</TargetFilename>
+			<TargetFilename condition="end with">.damage</TargetFilename>
+			<TargetFilename condition="end with">.darkness</TargetFilename>
+			<TargetFilename condition="end with">.da_vinci_code</TargetFilename>
+			<TargetFilename condition="end with">.dcrypt</TargetFilename>
+			<TargetFilename condition="end with">.decrypt2017</TargetFilename>
+			<TargetFilename condition="end with">.ded</TargetFilename>
+			<TargetFilename condition="end with">.dexter</TargetFilename>
+			<TargetFilename condition="end with">.dharma</TargetFilename>
+			<TargetFilename condition="end with">.disposed2017</TargetFilename>
+			<TargetFilename condition="end with">.dll</TargetFilename>
+			<TargetFilename condition="end with">.domino</TargetFilename>
+			<TargetFilename condition="end with">.dxxd</TargetFilename>
+			<TargetFilename condition="end with">.dyatel@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.ecc</TargetFilename>
+			<TargetFilename condition="end with">.edgel</TargetFilename>
+			<TargetFilename condition="end with">.encedrsa</TargetFilename>
+			<TargetFilename condition="end with">.enc_files.txt</TargetFilename>
+			<TargetFilename condition="end with">.enciphered</TargetFilename>
+			<TargetFilename condition="end with">.encmywork</TargetFilename>
+			<TargetFilename condition="end with">.encoderpass</TargetFilename>
+			<TargetFilename condition="end with">.encr</TargetFilename>
+			<TargetFilename condition="end with">.encryptedaes</TargetFilename>
+			<TargetFilename condition="end with">.encryptedrsa</TargetFilename>
+			<TargetFilename condition="end with">.encrypted </TargetFilename>
+			<TargetFilename condition="end with">.encrypted</TargetFilename>
+			<TargetFilename condition="end with">.encryptedyourfiles</TargetFilename>
+			<TargetFilename condition="end with">.encrypt</TargetFilename>
+			<TargetFilename condition="end with">.enc</TargetFilename>
+			<TargetFilename condition="end with">.enigma</TargetFilename>
+			<TargetFilename condition="end with">.epic</TargetFilename>
+			<TargetFilename condition="end with">.evillock</TargetFilename>
+			<TargetFilename condition="end with">.exotic</TargetFilename>
+			<TargetFilename condition="end with">.exx</TargetFilename>
+			<TargetFilename condition="end with">.ezz</TargetFilename>
+			<TargetFilename condition="end with">.fantom</TargetFilename>
+			<TargetFilename condition="end with">.file0locked</TargetFilename>
+			<TargetFilename condition="end with">.filegofprencrp</TargetFilename>
+			<TargetFilename condition="end with">.fileiscryptedhard</TargetFilename>
+			<TargetFilename condition="end with">.filock</TargetFilename>
+			<TargetFilename condition="end with">.frtrss</TargetFilename>
+			<TargetFilename condition="end with">.fucked</TargetFilename>
+			<TargetFilename condition="end with">.fuck</TargetFilename>
+			<TargetFilename condition="end with">.fucku</TargetFilename>
+			<TargetFilename condition="end with">.fuckyourdata</TargetFilename>
+			<TargetFilename condition="end with">.fun</TargetFilename>
+			<TargetFilename condition="end with">.gefickt</TargetFilename>
+			<TargetFilename condition="end with">.globe</TargetFilename>
+			<TargetFilename condition="end with">.goforhelp</TargetFilename>
+			<TargetFilename condition="end with">.good</TargetFilename>
+			<TargetFilename condition="end with">.grt</TargetFilename>
+			<TargetFilename condition="end with">.gruzin@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.gws</TargetFilename>
+			<TargetFilename condition="end with">.h3ll</TargetFilename>
+			<TargetFilename condition="end with">.ha3</TargetFilename>
+			<TargetFilename condition="end with">.happenencedfiles</TargetFilename>
+			<TargetFilename condition="end with">.hb15</TargetFilename>
+			<TargetFilename condition="end with">.helpdecrypt@ukr.net</TargetFilename>
+			<TargetFilename condition="end with">.helpmeencedfiles</TargetFilename>
+			<TargetFilename condition="end with">.herbst</TargetFilename>
+			<TargetFilename condition="end with">.hnumkhotep</TargetFilename>
+			<TargetFilename condition="end with">.howcanihelpusir</TargetFilename>
+			<TargetFilename condition="end with">.hush</TargetFilename>
+			<TargetFilename condition="end with">.iaufkakfhsaraf</TargetFilename>
+			<TargetFilename condition="end with">.ifuckedyou</TargetFilename>
+			<TargetFilename condition="end with">.iloveworld</TargetFilename>
+			<TargetFilename condition="end with">.infected</TargetFilename>
+			<TargetFilename condition="end with">.info</TargetFilename>
+			<TargetFilename condition="end with">-instruction.html</TargetFilename>
+			<TargetFilename condition="end with">.isis</TargetFilename>
+			<TargetFilename condition="end with">.iwanthelpuuu</TargetFilename>
+			<TargetFilename condition="end with">.iwishiyou</TargetFilename>
+			<TargetFilename condition="end with">.justbtcwillhelpyou</TargetFilename>
+			<TargetFilename condition="end with">kb15</TargetFilename>
+			<TargetFilename condition="end with">.kernel_complete</TargetFilename>
+			<TargetFilename condition="end with">.kernel_pid</TargetFilename>
+			<TargetFilename condition="end with">.kernel_time</TargetFilename>
+			<TargetFilename condition="end with">.keybtc@inbox_com</TargetFilename>
+			<TargetFilename condition="end with">.keyh0les</TargetFilename>
+			<TargetFilename condition="end with">.keyz</TargetFilename>
+			<TargetFilename condition="end with">.kimcilware</TargetFilename>
+			<TargetFilename condition="end with">.kkk</TargetFilename>
+			<TargetFilename condition="end with">.korrektor</TargetFilename>
+			<TargetFilename condition="end with">.kostya</TargetFilename>
+			<TargetFilename condition="end with">.kraken</TargetFilename>
+			<TargetFilename condition="end with">kraken</TargetFilename>
+			<TargetFilename condition="end with">.kratos</TargetFilename>
+			<TargetFilename condition="end with">.kyra</TargetFilename>
+			<TargetFilename condition="end with">.last_chance.txt</TargetFilename>
+			<TargetFilename condition="end with">.lcked</TargetFilename>
+			<TargetFilename condition="end with">.lechiffre</TargetFilename>
+			<TargetFilename condition="end with">.legion</TargetFilename>
+			<TargetFilename condition="end with">.lesli</TargetFilename>
+			<TargetFilename condition="end with">.letmetrydecfiles</TargetFilename>
+			<TargetFilename condition="end with">.lock93</TargetFilename>
+			<TargetFilename condition="end with">.locked</TargetFilename>
+			<TargetFilename condition="end with">locked</TargetFilename>
+			<TargetFilename condition="end with">.locklock</TargetFilename>
+			<TargetFilename condition="end with">.lock</TargetFilename>
+			<TargetFilename condition="end with">.locky</TargetFilename>
+			<TargetFilename condition="end with">.loli</TargetFilename>
+			<TargetFilename condition="end with">.lol!</TargetFilename>
+			<TargetFilename condition="end with">.loveransisgood</TargetFilename>
+			<TargetFilename condition="end with">.lovewindows</TargetFilename>
+			<TargetFilename condition="end with">.madebyadam</TargetFilename>
+			<TargetFilename condition="end with">.magic</TargetFilename>
+			<TargetFilename condition="end with">.maya</TargetFilename>
+			<TargetFilename condition="end with">.mention9823</TargetFilename>
+			<TargetFilename condition="end with">.merry</TargetFilename>
+			<TargetFilename condition="end with">.message.txt</TargetFilename>
+			<TargetFilename condition="end with">.micro</TargetFilename>
+			<TargetFilename condition="end with">.mole</TargetFilename>
+			<TargetFilename condition="end with">.moments2900</TargetFilename>
+			<TargetFilename condition="end with">.mp3</TargetFilename>
+			<TargetFilename condition="end with">.mrcr1</TargetFilename>
+			<TargetFilename condition="end with">.myransext2017</TargetFilename>
+			<TargetFilename condition="end with">.nalog@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.nefilim</TargetFilename>
+			<TargetFilename condition="end with">.nochance</TargetFilename>
+			<TargetFilename condition="end with">nochance</TargetFilename>
+			<TargetFilename condition="end with">.noproblemwedecfiles</TargetFilename>
+			<TargetFilename condition="end with">.notfoundrans</TargetFilename>
+			<TargetFilename condition="end with">.nuclear55</TargetFilename>
+			<TargetFilename condition="end with">.odcodc</TargetFilename>
+			<TargetFilename condition="end with">.odin</TargetFilename>
+			<TargetFilename condition="end with">.omg!</TargetFilename>
+			<TargetFilename condition="end with">.onion</TargetFilename>
+			<TargetFilename condition="end with">.only-we_can-help_you</TargetFilename>
+			<TargetFilename condition="end with">.oops</TargetFilename>
+			<TargetFilename condition="end with">.oor</TargetFilename>
+			<TargetFilename condition="end with">.oplata@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.oshit</TargetFilename>
+			<TargetFilename condition="end with">oshit</TargetFilename>
+			<TargetFilename condition="end with">.osiris</TargetFilename>
+			<TargetFilename condition="end with">.otherinformation</TargetFilename>
+			<TargetFilename condition="end with">.p5tkjw</TargetFilename>
+			<TargetFilename condition="end with">.padcrypt</TargetFilename>
+			<TargetFilename condition="end with">.paybtcs</TargetFilename>
+			<TargetFilename condition="end with">.paymrss</TargetFilename>
+			<TargetFilename condition="end with">.payms</TargetFilename>
+			<TargetFilename condition="end with">.paymst</TargetFilename>
+			<TargetFilename condition="end with">.paym</TargetFilename>
+			<TargetFilename condition="end with">.paymts</TargetFilename>
+			<TargetFilename condition="end with">.payransom</TargetFilename>
+			<TargetFilename condition="end with">.payrms</TargetFilename>
+			<TargetFilename condition="end with">.pays</TargetFilename>
+			<TargetFilename condition="end with">.pdcr</TargetFilename>
+			<TargetFilename condition="end with">.pec</TargetFilename>
+			<TargetFilename condition="end with">.pegs1</TargetFilename>
+			<TargetFilename condition="end with">.perl</TargetFilename>
+			<TargetFilename condition="end with">.pizda@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.poar2w</TargetFilename>
+			<TargetFilename condition="end with">.porno</TargetFilename>
+			<TargetFilename condition="end with">.poshkoder</TargetFilename>
+			<TargetFilename condition="end with">.potato</TargetFilename>
+			<TargetFilename condition="end with">.powerfulldecryp</TargetFilename>
+			<TargetFilename condition="end with">.powerfulldecrypt</TargetFilename>
+			<TargetFilename condition="end with">.prosperous666</TargetFilename>
+			<TargetFilename condition="end with">.pubg</TargetFilename>
+			<TargetFilename condition="end with">.purge</TargetFilename>
+			<TargetFilename condition="end with">.pzdc</TargetFilename>
+			<TargetFilename condition="end with">.r16m01d05</TargetFilename>
+			<TargetFilename condition="end with">.r4a</TargetFilename>
+			<TargetFilename condition="end with">.r5a</TargetFilename>
+			<TargetFilename condition="end with">.radamant</TargetFilename>
+			<TargetFilename condition="end with">.rad</TargetFilename>
+			<TargetFilename condition="end with">.raid10</TargetFilename>
+			<TargetFilename condition="end with">.rare1</TargetFilename>
+			<TargetFilename condition="end with">.razy</TargetFilename>
+			<TargetFilename condition="end with">.rdm</TargetFilename>
+			<TargetFilename condition="end with">.realfs0ciety@sigaint.org.fs0ciety</TargetFilename>
+			<TargetFilename condition="end with">.recovery_file.txt</TargetFilename>
+			<TargetFilename condition="end with">.recovery_key.txt</TargetFilename>
+			<TargetFilename condition="end with">.rekt</TargetFilename>
+			<TargetFilename condition="end with">.relock@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.remind</TargetFilename>
+			<TargetFilename condition="end with">.rip</TargetFilename>
+			<TargetFilename condition="end with">.rmcm1</TargetFilename>
+			<TargetFilename condition="end with">.rmd</TargetFilename>
+			<TargetFilename condition="end with">.rnsmwr</TargetFilename>
+			<TargetFilename condition="end with">.rokku</TargetFilename>
+			<TargetFilename condition="end with">.rrk</TargetFilename>
+			<TargetFilename condition="end with">.rsnslocked</TargetFilename>
+			<TargetFilename condition="end with">.rsplited</TargetFilename>
+			<TargetFilename condition="end with">.ruby</TargetFilename>
+			<TargetFilename condition="end with">.ryk</TargetFilename>
+			<TargetFilename condition="end with">._ryp</TargetFilename>
+			<TargetFilename condition="end with">.sage</TargetFilename>
+			<TargetFilename condition="end with">.sanctioned</TargetFilename>
+			<TargetFilename condition="end with">.sanction</TargetFilename>
+			<TargetFilename condition="end with">.scl</TargetFilename>
+			<TargetFilename condition="end with">.securecrypted</TargetFilename>
+			<TargetFilename condition="end with">.serpent</TargetFilename>
+			<TargetFilename condition="end with">.serp</TargetFilename>
+			<TargetFilename condition="end with">.sexy</TargetFilename>
+			<TargetFilename condition="end with">.shino</TargetFilename>
+			<TargetFilename condition="end with">.shit</TargetFilename>
+			<TargetFilename condition="end with">.silent</TargetFilename>
+			<TargetFilename condition="end with">.skjdthghh</TargetFilename>
+			<TargetFilename condition="end with">.spora</TargetFilename>
+			<TargetFilename condition="end with">.sport</TargetFilename>
+			<TargetFilename condition="end with">.stn</TargetFilename>
+			<TargetFilename condition="end with">.stubbin</TargetFilename>
+			<TargetFilename condition="end with">.supercrypt</TargetFilename>
+			<TargetFilename condition="end with">.supported2017</TargetFilename>
+			<TargetFilename condition="end with">.suppose665</TargetFilename>
+			<TargetFilename condition="end with">.suppose666</TargetFilename>
+			<TargetFilename condition="end with">.surprise</TargetFilename>
+			<TargetFilename condition="end with">.szf</TargetFilename>
+			<TargetFilename condition="end with">.theworldisyours</TargetFilename>
+			<TargetFilename condition="end with">.thor</TargetFilename>
+			<TargetFilename condition="end with">.toxcrypt</TargetFilename>
+			<TargetFilename condition="end with">.troyancoder@qq_com</TargetFilename>
+			<TargetFilename condition="end with">.trun</TargetFilename>
+			<TargetFilename condition="end with">.ttt</TargetFilename>
+			<TargetFilename condition="end with">.tzu</TargetFilename>
+			<TargetFilename condition="end with">.unavailable</TargetFilename>
+			<TargetFilename condition="end with">.vault.hta</TargetFilename>
+			<TargetFilename condition="end with">.vault.key</TargetFilename>
+			<TargetFilename condition="end with">.vault</TargetFilename>
+			<TargetFilename condition="end with">.vault.txt</TargetFilename>
+			<TargetFilename condition="end with">.vbransom</TargetFilename>
+			<TargetFilename condition="end with">.vekanhelpu</TargetFilename>
+			<TargetFilename condition="end with">.venusf</TargetFilename>
+			<TargetFilename condition="end with">.venusp</TargetFilename>
+			<TargetFilename condition="end with">.vforvendetta</TargetFilename>
+			<TargetFilename condition="end with">.vindows</TargetFilename>
+			<TargetFilename condition="end with">.vscrypt</TargetFilename>
+			<TargetFilename condition="end with">.vvv</TargetFilename>
+			<TargetFilename condition="end with">.vxlock</TargetFilename>
+			<TargetFilename condition="end with">.wallet</TargetFilename>
+			<TargetFilename condition="end with">.wcry</TargetFilename>
+			<TargetFilename condition="end with">.weapologize</TargetFilename>
+			<TargetFilename condition="end with">.weareyourfriends</TargetFilename>
+			<TargetFilename condition="end with">.weencedufiles</TargetFilename>
+			<TargetFilename condition="end with">.wflx</TargetFilename>
+			<TargetFilename condition="end with">.whereisyourfiles</TargetFilename>
+			<TargetFilename condition="end with">.where_my_files.txt</TargetFilename>
+			<TargetFilename condition="end with">.windows10</TargetFilename>
+			<TargetFilename condition="end with">.wncry</TargetFilename>
+			<TargetFilename condition="end with">.wncryt</TargetFilename>
+			<TargetFilename condition="end with">.wnry</TargetFilename>
+			<TargetFilename condition="end with">.wowreadfordecryp</TargetFilename>
+			<TargetFilename condition="end with">.wowwhereismyfiles</TargetFilename>
+			<TargetFilename condition="end with">.xcri</TargetFilename>
+			<TargetFilename condition="end with">.xort</TargetFilename>
+			<TargetFilename condition="end with">.xrnt</TargetFilename>
+			<TargetFilename condition="end with">.xrtn</TargetFilename>
+			<TargetFilename condition="end with">.xtbl</TargetFilename>
+			<TargetFilename condition="end with">.xxx</TargetFilename>
+			<TargetFilename condition="end with">.xyz</TargetFilename>
+			<TargetFilename condition="end with">.ytbl</TargetFilename>
+			<TargetFilename condition="end with">.z81928819</TargetFilename>
+			<TargetFilename condition="end with">.zc3791</TargetFilename>
+			<TargetFilename condition="end with">.zcrypt</TargetFilename>
+			<TargetFilename condition="end with">.zepto</TargetFilename>
+			<TargetFilename condition="end with">.zorro</TargetFilename>
+			<TargetFilename condition="end with">.zyklon</TargetFilename>
+			<TargetFilename condition="end with">.zzz</TargetFilename>
+			<TargetFilename condition="end with">.zzzzz</TargetFilename>
 		</FileCreate>
 	</RuleGroup>
 
@@ -1156,4 +1635,4 @@
 		<!--Cannot be filtered.-->
 
 	</EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>