we didn't found the file netcache64.sys, neighter on the server nor on the clients.
btw. the server is an SBS2011 vm on a free ESXI and the clients are windows 7 pc's
I'found an interesting log entry on a client pc:
Name: "rsa in log.evtx"
It seems, that all files were encrypted after this event. Unluckily, the file (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ead19bd5-5202-4e39-995c-b88dd3680ff7)
in the event log was also encrypted.
Edited by ChristophTCMedia, 23 October 2017 - 06:19 AM.