Craig Rider

Member
  • Content Count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Craig Rider

  • Rank
    New Member
  1. I've run lock.exe (as non-admin) against a clean windows installation and got the following files. The temp.txt files has more content than my previously infected machines - possibly because not run as admin and no internet access. #DECRYPT_MY_FILES#.txt temp000000-2.txt Desert.jpg.1022949153.nem3end Chrysanthemum.jpg.1022949153.nem3end Is it possible this long string might be a key? This information hasn't been in the previous files (possibly deleted as part of the ransomware end of process cleanup?) (edited)
  2. Thank you for the confirmation. Could someone please have a look at the attached ZIP files for the RearLeftPC and WebSrv. The ransomware was delivered via RDP and looks to be manually executed (to me - or an automated process we interrupted). The file contents for the for each machine are different, as in, there appears to be some files left behind and not cleaned up. Please see these DIR captures for examples, in particular the WebSvr capture. The file lock.exe.ransomware.danger.seriesofnumbers.seriesofnumbers.nem3end looks interesting to me.
  3. https://www.virustotal.com/#/file/d7de0745b04d4579dd11fc3778b3cd1146d175769e2b10968b20f636abfd5eaf/detection
  4. https://id-ransomware.malwarehunterteam.com/identify.php?case=d69fc22e4707dfdc3bf46e080833cabe757ae71c
  5. Found some more things to look at. TMRDT.exe_20180613.152621.1164.log TMRDTSelfExtract.zip Ummm, maybe not.
  6. After some poking around in RegEdit I found references to .nem3end and tmrdt.exe WebSvr-reg.zip
  7. G'day, Have a few machines which were accessed via RDP. It looks like we interrupted them in the process as I have a number of files from a few different machines which to me looks like pieces to the jigsaw. (Possibly have the local and remote ID Keys for a machine). They used ProcessHacker in conjuction with Lock.exe [email protected] [email protected] [email protected] [email protected]