Craig Rider

Member
  • Content Count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Craig Rider

  • Rank
    New Member
  1. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    I've run lock.exe (as non-admin) against a clean windows installation and got the following files. The temp.txt files has more content than my previously infected machines - possibly because not run as admin and no internet access. #DECRYPT_MY_FILES#.txt temp000000-2.txt Desert.jpg.1022949153.nem3end Chrysanthemum.jpg.1022949153.nem3end Is it possible this long string might be a key? This information hasn't been in the previous files (possibly deleted as part of the ransomware end of process cleanup?) (edited)
  2. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    Thank you for the confirmation. Could someone please have a look at the attached ZIP files for the RearLeftPC and WebSrv. The ransomware was delivered via RDP and looks to be manually executed (to me - or an automated process we interrupted). The file contents for the for each machine are different, as in, there appears to be some files left behind and not cleaned up. Please see these DIR captures for examples, in particular the WebSvr capture. The file lock.exe.ransomware.danger.seriesofnumbers.seriesofnumbers.nem3end looks interesting to me.
  3. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    https://www.virustotal.com/#/file/d7de0745b04d4579dd11fc3778b3cd1146d175769e2b10968b20f636abfd5eaf/detection
  4. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    https://id-ransomware.malwarehunterteam.com/identify.php?case=d69fc22e4707dfdc3bf46e080833cabe757ae71c
  5. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    Found some more things to look at. TMRDT.exe_20180613.152621.1164.log TMRDTSelfExtract.zip Ummm, maybe not.
  6. Craig Rider

    Craig Rider AU .nem3end RANSOMWARE

    After some poking around in RegEdit I found references to .nem3end and tmrdt.exe WebSvr-reg.zip
  7. G'day, Have a few machines which were accessed via RDP. It looks like we interrupted them in the process as I have a number of files from a few different machines which to me looks like pieces to the jigsaw. (Possibly have the local and remote ID Keys for a machine). They used ProcessHacker in conjuction with Lock.exe [email protected] [email protected] [email protected] [email protected]