Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: US charges Samourai cryptomixer founders for laundering $100 million

Featured Deal: A one-year Sam's Club membership is only $14 now

Latest Buyer's Guide: How to setup a VPN on your router: Detailed walkthrough

RTMLocker Ramsomware (N3ww4v3/Mimic)

Started by hibrid0 , Mar 21 2024 01:34 AM

This topic is locked

12 replies to this topic

#1 hibrid0

Members
5 posts
OFFLINE

Local time:12:45 AM

Posted 21 March 2024 - 01:34 AM

Hi guys, yesterday a client was infected with this ransomeware.

Today I have access to this pc and get samples files, and found log from the virus and a folder where operate it.

In a internal tool I see this additional command excution where set the password.

net user admin Qweasd!1

Log folder location:

c:\temp

Log folder contain:

MIMIC_LOG.txt

session.tmp

Virus Tools Folder Location:

c:\users\"USER"\appdata\local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B

Virus Tools Folder Content:

7za.exe

DC.exe

ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe

Everything.exe

Everything.ini

Everything2.ini

Everything32.dll

Everything64.dll

global_options.ini

gui35.exe

gui40.exe

rtmlocker.exe

session.tmp

xdel.exe

Rescue note name:

rtmlocker_DECRYPTION.txt

Rescue note content:

Rtmlocker Ransomware!!!

ATTENTION!

YOUR PERSONAL DECRYPTION ID - 85-Ws1GO20K9PY4_UdCE78b67Uek9DwXHshValgIYDg*exe

At the moment, your system is not protected.

We can fix it and restore your files.

To get started, send 1-2 small files to decrypt them as proof

You can trust us after opening them

2.Do not use free programs to unlock.

OUR CONTACTS:

rtmlocker@proton.me

Maybe is possible to get the password from the globar_options.ini?

I see this file is the configuration file for the virus, this define extension to encrypt and more.

global_options.ini Content:

20=919284

21=Piusrpmnc

22=Local_Upcfgv

23=Local_Bcxpmvqcohr

25=C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\rtmlocker.exe

26=exe

27=sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;

28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp;

29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\;

30=desktop.ini;iconcache.db;thumbs.db;

31=AcronisAgent;ARSM;backup;BackupExecAgentAccelerator;BackupExecAgentBrowser;BackupExecDiveciMediaService;BackupExecJobEngine;BackupExecManagementService;BackupExecRPCService;BackupExecVSSProvider;CAARCUpdateSvc;CASAD2DWebSvc;ccEvtMgr;ccSetMgr;Culserver;dbeng8;dbsrv12;DefWatch;FishbowlMySQL;GxBlr;GxCIMgr;GxCVD;GxFWD;GxVss;memtas;mepocs;msexchange;MSExchange$;msftesql-Exchange;msmdsrv;MSSQL;MSSQL$;MSSQL$KAV_CS_ADMIN_KIT;MSSQL$MICROSOFT##SSEE;MSSQL$MICROSOFT##WID;MSSQL$SBSMONITORING;MSSQL$SHAREPOINT;MSSQL$VEEAMSQL2012;MSSQLFDLauncher$SBSMONITORING;MSSQLFDLauncher$SHAREPOINT;MSSQLServerADHelper100;MVArmor;MVarmor64;svc$;sophos;RTVscan;MySQL57;PDVFSService;QBCFMonitorService;QBFCService;QBIDPService;QBVSS;SavRoam;SQL;SQLADHLP;sqlagent;SQLAgent$KAV_CS_ADMIN_KIT;SQLAgent$SBSMONITORING;SQLAgent$SHAREPOINT;SQLAgent$VEEAMSQL2012;sqlbrowser;Sqlservr;SQLWriter;stc_raw_agent;tomcat6;veeam;VeeamDeploymentService;VeeamNFSSvc;VeeamTransportSvc;vmware-converter;vmware-usbarbitator64;VSNAPVSS;vss;wrapper;WSBExchange;YooBackup;YooIT;

32=agntsvc;AutodeskDesktopApp;axlbridge;bedbh;benetns;bengien;beserver;CoreSync;Creative Cloud;dbeng50;dbsnmp;encsvc;EnterpriseClient;fbguard;fbserver;fdhost;fdlauncher;httpd;isqlplussvc;msaccess;MsDtSrvr;msftesql;mspub;mydesktopqos;mydesktopservice;mysqld;mysqld-nt;mysqld-opt;ocautoupds;ocomm;ocssd;oracle;pvlsvr;node;java;python;wpython;QBDBMgr;QBDBMgrN;QBIDPService;qbupdate;QBW32;QBW64;Raccine;Raccine_x86;RaccineElevatedCfg;RaccineSettings;VeeamDeploymentSvc;RAgui;raw_agent_svc;SimplyConnectionManager;sqbcoreservice;sql;sqlagent;sqlbrowser;sqlmangr;sqlservr;sqlwriter;Ssms;Sysmon;Sysmon64;tbirdconfig;tomcat6;vsnapvss;vxmon;wdswfsafe;wsa_service;wxServer;wxServerView;xfssvccon;1cv8s;1cv8;1cv8c;

33=add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;

34=1

35=2

36=0

37=0

38=0

39=1

40=1

41=1

42=1

43=1

44=1

45=1

46=1

47=0

48=1

49=1

50=1

51=0

52=C:\;3;0;1

52=D:\;3;0;2

52=\\?\Volume{53c3d83f-8af8-4376-b16c-791eec0d5cd3}\;1;0;3

52=\\?\Volume{ed2c760d-9c10-4768-bb7f-cf7abc08fda3}\;1;0;4

53=1

54=0

55=1

56=1

57=1

58=1

59=1

60=1

61=1

62=1

63=Rtmlocker Ransomware!!!\nATTENTION!\nYOUR PERSONAL DECRYPTION ID - ID_PLACEHOLDER\nAt the moment, your system is not protected.\nWe can fix it and restore your files.\nTo get started, send 1-2 small files to decrypt them as proof\nYou can trust us after opening them\n2.Do not use free programs to unlock.\nOUR CONTACTS:\nrtmlocker@proton.me

64=2

65=2

66=1

MIMIC_LOG.txt Content:

[13:45:15] Mimic 6.3

[13:45:15] [*] SysInfo...

[13:45:15] ======== SYSTEM INFO ========

[13:45:15] WIN ARCH: x64

[13:45:15] WIN VER: 10.0.22631

[13:45:15] CORE COUNT: 2

[13:45:15] MEM TOTAL: 11972 Mb.

[13:45:15] MEM AVAIL: 7001 Mb.

[13:45:15] IS DOMAIN: No

[13:45:15] LOCAL SYS: No

[13:45:15] ELEVATED: Yes

[13:45:15] HAS ADMIN: Yes

[13:45:15] PC NAME: CONTABILIDAD

[13:45:15] USER NAME: ferre

[13:45:15] IN GROUPS:

[13:45:15] <Integrity> Etiqueta obligatoria\Nivel obligatorio alto

[13:45:15] Todos

[13:45:15] NT AUTHORITY\Cuenta local y miembro del grupo de administradores

[13:45:15] BUILTIN\Administradores

[13:45:15] BUILTIN\Usuarios

[13:45:15] NT AUTHORITY\INTERACTIVE

[13:45:15] INICIO DE SESIÓN EN LA CONSOLA

[13:45:15] NT AUTHORITY\Usuarios autentificados

[13:45:15] NT AUTHORITY\Esta compañía

[13:45:15] MicrosoftAccount\*******@******.com

[13:45:15] NT AUTHORITY\Cuenta local

[13:45:15] NT AUTHORITY\LogonSessionId_0_1168521

[13:45:15] LOCAL

[13:45:15] NT AUTHORITY\Autenticación de cuentas en la nube

[13:45:15] =============================

[13:45:15] CMDLINE: "C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\rtmlocker.exe"

[13:45:15] [*] Set Privileges...

[13:45:15] [*] 24 privileges granted, 0 failed.

[13:45:15] [*] Priority...

[13:45:15] [*] Autostart...

[13:45:15] [*] Relaunch...

[13:45:15] [*] CLONE INFO: I'm a clone!

[13:45:15] =============================

[13:45:15] [*] Register hotkey...

[13:45:15] [*] Everything Setup...

[13:45:15] [*] Change Process DACL...

[13:45:15] [*] Set current dir...

[13:45:15] [*] Scanning user context mapped drives...

[13:45:15] [+] SetThreadToken success. Handle: 788

[13:45:15] =============================

[13:45:15] [*] Found 2 drives:

[13:45:15] [*] C:\ - 63674 Mb. occupy (NTFS) (FIXED) (Label: Windows)

[13:45:15] [*] D:\ - 8835 Mb. occupy (NTFS) (FIXED) (Label: Data)

[13:45:15] [*] \\?\Volume{53c3d83f-8af8-4376-b16c-791eec0d5cd3}\ - 0 Mb. occupy () (HIDDEN) (Label: )

[13:45:15] [*] \\?\Volume{ed2c760d-9c10-4768-bb7f-cf7abc08fda3}\ - 0 Mb. occupy () (HIDDEN) (Label: )

[13:45:15] =============================

[13:45:15] [+] Success run: C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\gui40.exe (pid:8248)

[13:45:15] [*] Wait gui

[13:45:16] [+] Success run: "C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\Everything.exe" -startup (pid:13160)

[13:45:17] [*] Found gui. Handle: 919284

[13:45:17] Waiting for signal to continue

[13:45:29] Start hidden shares scan

[13:45:29] [*] Current IP: 192.168.10.128

[13:45:29] [*] Adapter Name: {A61BFF2A-06F2-4954-A803-A8BC50D67F24}

[13:45:29] [*] IP Address: 192.168.10.128

[13:45:29] [*] Gateway: 192.168.10.1

[13:45:29] [*] Adapter Name: {0CD8540B-3BEC-458A-AB0A-255A65E18F1B}

[13:45:29] [*] IP Address: 0.0.0.0

[13:45:29] [*] Gateway: 0.0.0.0

[13:45:29] [*] Adapter Name: {A230D696-EA94-4D58-A2D0-3BCA64A9B8AE}

[13:45:29] [*] IP Address: 0.0.0.0

[13:45:29] [*] Gateway: 0.0.0.0

[13:45:29] [*] Adapter Name: {1665F22F-CE31-4ABE-A138-5BA8B58EF9CE}

[13:45:29] [*] IP Address: 0.0.0.0

[13:45:29] [*] Gateway: 0.0.0.0

[13:45:29] [*] Adapter Name: {55F1A2A8-E03B-4570-9AE5-2ED6AFABD9B5}

[13:45:29] [*] IP Address: 0.0.0.0

[13:45:29] [*] Gateway: 0.0.0.0

[13:45:29] [*] Adapter Name: {A7D79F7D-52D8-4503-AB32-4DDAB13F905A}

[13:45:29] [*] IP Address: 0.0.0.0

[13:45:29] [*] Gateway: 0.0.0.0

[13:45:29] [*] ARP: 192.168.10.0

[13:45:29] [*] ARP: 192.168.100.0

[13:45:29] [*] CreateHostTable...

[13:45:29] [*] ScanHosts start. First address: 192.168.10.0

[13:45:29] [*] ScanHosts completed. Last address: 192.168.10.254

[13:45:59] [*] CreateHostTable...

[13:45:59] [*] ScanHosts start. First address: 192.168.100.0

[13:45:59] [*] ScanHosts completed. Last address: 192.168.100.254

[13:46:29] [*] AddHost: 255.255.255.255

[13:46:30] Hidden shares scan completed

[13:48:37] Waiting for signal to terminate

[13:48:37] [*] Backup session key success

[13:48:37] [*] Protect directory...: C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B

[13:48:37] [*] Using settings:

[13:48:37] [*] ------------------

[13:48:37] [*] NoteId: 85-Ws1GO20K9PY4_UdCE78b67Uek9DwXHshValgIYDg*exe

[13:48:37] [*] Keys count: 11153

[13:48:37] [*] Encrypt percent: 1 %

[13:48:37] [*] % for files: 2 MiB

[13:48:37] [*] Extension: exe

[13:48:37] [*] Note file name: rtmlocker_DECRYPTION.txt

[13:48:37] [*] File max size (stage1): 0 KiB

[13:48:37] [*] File max size (global): 0 KiB

[13:48:37] [*] Process max RAM: 0 MiB

[13:48:37] [*] Self delete: yes

[13:48:37] [*] Priority modify: yes

[13:48:37] [*] Log check sum: no

[13:48:37] [*] Encrypt single: no

[13:48:37] [*] Encrypt local: yes

[13:48:37] [*] Encrypt net drive: yes

[13:48:37] [*] Encrypt net prio: yes

[13:48:37] [*] Encrypt share: yes

[13:48:37] [*] Encrypt hidden dr: yes

[13:48:37] [*] Anti-Kill protect: no

[13:48:37] [*] Disable defender: yes

[13:48:37] [*] Visible: no

[13:48:37] [*] Wipe drives: yes

[13:48:37] [*] Log level: 3

[13:48:37] [*] Delete log at end: yes

[13:48:37] [*] Use Everything: yes

[13:48:37] [*] Kill Telemetry: yes

[13:48:37] [*] Kill Backup & SQL: yes

[13:48:37] [*] Disable UAC: yes

[13:48:37] [*] Disable Recovery: yes

[13:48:37] [*] Unmount Virt Drv: yes

[13:48:37] [*] Search Hid Shares: yes

[13:48:37] [*] Block task man: yes

[13:48:37] [*] Block shutdown: yes

[13:48:37] [*] Local threads: 2

[13:48:37] [*] Network threads: 2

[13:48:37] [*] User threads: 2

[13:48:37] [*] Reserve mode: None

[13:48:37] [*] Ext. priority: sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;

[13:48:37] [*] Ext. exclude: exe;386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp;

[13:48:37] [*] Files exclude: desktop.ini;iconcache.db;thumbs.db;ntuser.ini;boot.ini;ntdetect.com;ntldr;NTUSER.DAT;bootmgr;BOOTNXT;BOOTTGT;session.tmp;rtmlocker_DECRYPTION.txt;

[13:48:37] [*] Dirs exclude: steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\;C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B;

[13:48:37] [*] Exec commands: add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;

[13:48:37] [*] Kill proc: agntsvc.exe;AutodeskDesktopApp.exe;axlbridge.exe;bedbh.exe;benetns.exe;bengien.exe;beserver.exe;CoreSync.exe;Creative Cloud.exe;dbeng50.exe;dbsnmp.exe;encsvc.exe;EnterpriseClient.exe;fbguard.exe;fbserver.exe;fdhost.exe;fdlauncher.exe;httpd.exe;isqlplussvc.exe;msaccess.exe;MsDtSrvr.exe;msftesql.exe;mspub.exe;mydesktopqos.exe;mydesktopservice.exe;mysqld.exe;mysqld-nt.exe;mysqld-opt.exe;ocautoupds.exe;ocomm.exe;ocssd.exe;oracle.exe;pvlsvr.exe;node.exe;java.exe;python.exe;wpython.exe;QBDBMgr.exe;QBDBMgrN.exe;QBIDPService.exe;qbupdate.exe;QBW32.exe;QBW64.exe;Raccine.exe;Raccine_x86.exe;RaccineElevatedCfg.exe;RaccineSettings.exe;VeeamDeploymentSvc.exe;RAgui.exe;raw_agent_svc.exe;SimplyConnectionManager.exe;sqbcoreservice.exe;sql.exe;sqlagent.exe;sqlbrowser.exe;sqlmangr.exe;sqlservr.exe;sqlwriter.exe;Ssms.exe;Sysmon.exe;Sysmon64.exe;tbirdconfig.exe;tomcat6.exe;vsnapvss.exe;vxmon.exe;wdswfsafe.exe;wsa_service.exe;wxServer.exe;wxServerView.exe;xfssvccon.exe;1cv8s.exe;1cv8.exe;1cv8c.exe;

[13:48:37] [*] Kill service: AcronisAgent;ARSM;backup;BackupExecAgentAccelerator;BackupExecAgentBrowser;BackupExecDiveciMediaService;BackupExecJobEngine;BackupExecManagementService;BackupExecRPCService;BackupExecVSSProvider;CAARCUpdateSvc;CASAD2DWebSvc;ccEvtMgr;ccSetMgr;Culserver;dbeng8;dbsrv12;DefWatch;FishbowlMySQL;GxBlr;GxCIMgr;GxCVD;GxFWD;GxVss;memtas;mepocs;msexchange;MSExchange$;msftesql-Exchange;msmdsrv;MSSQL;MSSQL$;MSSQL$KAV_CS_ADMIN_KIT;MSSQL$MICROSOFT##SSEE;MSSQL$MICROSOFT##WID;MSSQL$SBSMONITORING;MSSQL$SHAREPOINT;MSSQL$VEEAMSQL2012;MSSQLFDLauncher$SBSMONITORING;MSSQLFDLauncher$SHAREPOINT;MSSQLServerADHelper100;MVArmor;MVarmor64;svc$;sophos;RTVscan;MySQL57;PDVFSService;QBCFMonitorService;QBFCService;QBIDPService;QBVSS;SavRoam;SQL;SQLADHLP;sqlagent;SQLAgent$KAV_CS_ADMIN_KIT;SQLAgent$SBSMONITORING;SQLAgent$SHAREPOINT;SQLAgent$VEEAMSQL2012;sqlbrowser;Sqlservr;SQLWriter;stc_raw_agent;tomcat6;veeam;VeeamDeploymentService;VeeamNFSSvc;VeeamTransportSvc;vmware-converter;vmware-usbarbitator64;VSNAPVSS;vss;wrapper;WSBExchange;YooBackup;YooIT;

[13:48:37] [*] List of paths to handle:

[13:48:37] [x] C:\

[13:48:37] [x] D:\

[13:48:37] [x] \\?\Volume{53c3d83f-8af8-4376-b16c-791eec0d5cd3}\

[13:48:37] [x] \\?\Volume{ed2c760d-9c10-4768-bb7f-cf7abc08fda3}\

[13:48:37] [*] Block defender...

[13:48:37] [+] Success run: cmd.exe /c DC.exe /D (pid:8812)

[13:48:37] [*] Establishing IPC connection...

[13:48:37] [*] Run Watcher...

[13:48:37] [+] Success run: "C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\rtmlocker.exe" -e watch -pid 7488 -! (pid:12348)

[13:48:37] [*] Unlocker1...

[13:48:37] [+] Success run: "C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\rtmlocker.exe" -e ul1 (pid:7128)

[13:48:37] [*] Unlocker2...

[13:48:38] [+] Success run: "C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B\rtmlocker.exe" -e ul2 (pid:2880)

[13:48:38] [*] Get Whitelist...

[13:48:38] [*] Added service: MSSQL$WORLDOFFICE

[13:48:38] [*] Added service: MSSQLServerADHelper

[13:48:38] [*] Added service: SQLBrowser

[13:48:38] [*] Added service: SQLWriter

[13:48:38] [*] Added service: WOBackupService

[13:48:38] [*] Added service: CloudBackupRestoreSvc_1220b8

[13:48:38] [*] Kill Services...

[13:48:38] [*] Service: WSearch

[13:48:38] [*] Service: pla

[13:48:38] [*] Service: DusmSvc

[13:48:38] [*] Service: defragsvc

[13:48:38] [*] Service: DoSvc

[13:48:38] [*] Service: wercplsupport

[13:48:38] [*] Service: SDRSVC

[13:48:38] [*] Service: TroubleshootingSvc

[13:48:38] [*] Service: Wecsvc

[13:48:38] [*] Service: fhsvc

[13:48:38] [*] Service: wbengine

[13:48:38] [*] Service: PcaSvc

[13:48:38] [*] Service: WerSvc

[13:48:38] [*] Service: SENS

[13:48:38] [*] Service: AppIDSvc

[13:48:38] [*] Service: BITS

[13:48:38] [*] Service: wuauserv

[13:48:38] [*] Service: SysMain

[13:48:38] [*] Service: DiagTrack

[13:48:38] [*] Service: diagnosticshub.standardcollector.service

[13:48:38] [*] Service: dmwappushservice

[13:48:38] [*] Service: WMPNetworkSvc

[13:48:38] [*] Service: DiagTrack

[13:48:38] [*] Kill Services list (no wait)...

[13:48:38] [*] Service: sqlbrowser

[13:48:38] [*] Service: SQLWriter

[13:48:38] [*] Service: vss

[13:48:38] [*] Service: MSSQL$WORLDOFFICE

[13:48:38] [*] Service: MSSQLServerADHelper

[13:48:38] [*] Service: SQLBrowser

[13:48:38] [*] Service: SQLWriter

[13:48:38] [*] Service: WOBackupService

[13:48:38] [*] Service: CloudBackupRestoreSvc_1220b8

[13:48:38] [*] Kill Services list (wait)...

[13:48:38] [*] Service: sqlbrowser

[13:48:38] [*] Service: SQLWriter

[13:48:38] [*] Service: vss

[13:48:38] [*] Service: MSSQL$WORLDOFFICE

[13:48:38] [*] Service: MSSQLServerADHelper

[13:48:38] [*] Service: SQLBrowser

[13:48:38] [*] Service: SQLWriter

[13:48:38] [*] Service: WOBackupService

[13:48:38] [*] Service: CloudBackupRestoreSvc_1220b8

[13:48:38] [*] Kill process list...

[13:48:38] [*] Kill process telemetry...

[13:48:38] [*] Process: SearchIndexer.exe

[13:48:38] [*] Kill process with high RAM...

[13:48:38] [*] Kill process backup & sql...

[13:48:40] [*] Anti-Kill...

[13:48:40] [*] Anti-Shutdown...

[13:48:40] [+] Success run: powercfg.exe -H off (pid:13016)

[13:48:40] [+] Success run: powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 (pid:12948)

[13:48:40] [+] Success run: powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 (pid:11788)

[13:48:40] [+] Success run: powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 (pid:8640)

[13:48:40] [+] Success run: powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 (pid:84)

[13:48:40] [+] Success run: powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 (pid:11556)

[13:48:40] [+] Success run: powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 (pid:2464)

[13:48:40] [+] Success run: powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 (pid:3700)

[13:48:40] [+] Success run: powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 (pid:2156)

[13:48:41] [+] Success run: powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 (pid:8396)

[13:48:41] [+] Success run: powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 (pid:3528)

[13:48:41] [+] Success run: powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 (pid:12868)

[13:48:41] [+] Success run: powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 (pid:4444)

[13:48:41] [+] Success run: powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c (pid:2440)

[13:48:41] [+] Success run: powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61 (pid:13032)

[13:48:41] [*] Long Path support...

[13:48:41] [*] Kill Telemetry policy...

[13:48:41] [*] UAC...

[13:48:41] Remove command line restrictions...

[13:48:41] Unmount virtual drives and images...

[13:48:41] [+] Success run: powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM" (pid:8960)

[13:48:41] [+] Success run: powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage" (pid:12556)

[13:48:41] [+] Success run: powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage" (pid:13296)

[13:48:41] [*] Local threads...

[13:48:41] [*] Network shares threads...

[13:48:41] [+] SetThreadToken success. Handle: 788

[13:48:44] [*] Enumeration drives...

[13:48:44] [*] Waiting for local search...

[13:48:44] [*] Starting search with Everything...

[13:48:44] [*] Everything EnumResult of progressbar on drive: C:\

[13:48:44] [*] Search mask: <file:><nocase:><path:C:\><!ext:exe;386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:48:44] [*] Everything SetSearch...

[13:48:44] [*] Everything SetRequestFlags...

[13:48:44] [*] Everything SetSort...

[13:48:45] [*] Everything Query...

[13:48:45] [*] Progressbar on drive C:\ files count: 18318

[13:48:45] [*] Everything EnumResult of progressbar on drive: D:\

[13:48:45] [*] Search mask: <file:><nocase:><path:D:\><!ext:exe;386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:48:45] [*] Everything SetSearch...

[13:48:45] [*] Everything SetRequestFlags...

[13:48:45] [*] Everything SetSort...

[13:48:46] [*] Everything Query...

[13:48:46] [*] Progressbar on drive D:\ files count: 2987

[13:48:46] [*] Everything EnumResult of priority ext on drive: C:\

[13:48:46] [*] Search mask: <file:><nocase:><path:C:\><ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:48:46] [*] Everything SetSearch...

[13:48:46] [*] Everything SetRequestFlags...

[13:48:46] [*] Everything SetSort...

[13:48:47] [*] Everything Query...

[13:48:47] [*] Total files to encrypt: 858

[13:48:47] [*] Final Speed: 678 MB/sec (678 MB, elapsed: 1 sec)

[13:48:47] [*] Everything EnumResult of other ext on drive: C:\

[13:48:47] [*] Search mask: <file:><nocase:><path:C:\><!ext:;exe;386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:48:47] [*] Everything SetSearch...

[13:48:47] [*] Everything SetRequestFlags...

[13:48:47] [*] Everything SetSort...

[13:48:47] [*] Everything Query...

[13:48:47] [*] Unlock queued: C:\Users\ferre\AppData\Local\ConnectedDevicesPlatform\4f4e80ddba764ee9\ActivitiesCache.db-wal

[13:48:47] [*] Unlock queued: C:\Users\ferre\AppData\Local\ConnectedDevicesPlatform\4f4e80ddba764ee9\ActivitiesCache.db-shm

[13:48:47] [*] Unlock queued: C:\Users\ferre\AppData\Local\ConnectedDevicesPlatform\4f4e80ddba764ee9\ActivitiesCache.db

[13:48:52] [*] Total files to encrypt: 17460

[13:48:52] [*] Cycle 1, Step 2: 1000 files processed (5 %)

[13:48:52] [*] Speed: 258 MB/sec (258 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 2000 files processed (11 %)

[13:48:52] [*] Speed: 408 MB/sec (408 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 3000 files processed (17 %)

[13:48:52] [*] Speed: 523 MB/sec (523 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 4000 files processed (22 %)

[13:48:52] [*] Speed: 595 MB/sec (595 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 5000 files processed (28 %)

[13:48:52] [*] Speed: 613 MB/sec (613 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 6000 files processed (34 %)

[13:48:52] [*] Speed: 720 MB/sec (720 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 7000 files processed (40 %)

[13:48:52] [*] Speed: 976 MB/sec (976 MB, elapsed: 1 sec)

[13:48:52] [*] Cycle 1, Step 2: 8000 files processed (45 %)

[13:48:52] [*] Speed: 1162 MB/sec (1162 MB, elapsed: 1 sec)

[13:48:53] [*] Unlock queued: C:\Users\ferre\AppData\Local\AMD\DxCache\0f396940d401ccd330dbfe231952c6599cb0d49d64e04c3d.bin

[13:48:53] [*] Unlock queued: C:\Program Files\AMD\atikmdag_dce.log

[13:48:53] [*] Unlock queued: C:\Users\ferre\OneDrive\.849C9593-D756-4E56-8D6E-42412F2A707B

[13:48:53] [*] Unlock queued: C:\Program Files\TeamViewer\TeamViewer15_Logfile.log

[13:48:53] [*] Unlock queued: C:\Program Files\CCleaner\LOG\su_controller.log

[13:49:08] [*] Unlock queued: C:\Users\ferre\AppData\Local\AMD\DxCache\5f940a9a4c8c1dcff9f6ce9576d3f82ff8ed0f6f5b484844.bin

[13:49:08] [*] Unlock queued: C:\Program Files\CCleaner\LOG\su_telemetry.log

[13:49:14] [*] Cycle 1, Step 2: 9000 files processed (51 %)

[13:49:14] [*] Speed: 54 MB/sec (1198 MB, elapsed: 22 sec)

[13:49:14] [*] Cycle 1, Step 2: 10000 files processed (57 %)

[13:49:14] [*] Speed: 58 MB/sec (1279 MB, elapsed: 22 sec)

[13:49:14] [*] Cycle 1, Step 2: 11000 files processed (62 %)

[13:49:14] [*] Speed: 65 MB/sec (1437 MB, elapsed: 22 sec)

[13:49:14] [*] Cycle 1, Step 2: 12000 files processed (68 %)

[13:49:14] [*] Speed: 375 MB/sec (8267 MB, elapsed: 22 sec)

[13:49:22] [*] Unlock queued: C:\Users\ferre\AppData\Local\AMD\DxCache\74c3bee8b6ad00e6d86f339be3f9ac55fa06fc0fb379a741.bin

[13:49:26] [*] Unlock queued: C:\Users\ferre\AppData\Local\AMD\DxCache\61a6062baf4f31ae750f386ce71aa370b7bba5dda27098ac.bin

[13:49:27] [*] Unlock queued: C:\Users\ferre\NTUSER.DAT{a2332f18-cdbf-11ec-8680-002248483d79}.TM.blf

[13:49:27] [*] Unlock queued: C:\Users\ferre\NTUSER.DAT{a2332f18-cdbf-11ec-8680-002248483d79}.TMContainer00000000000000000001.regtrans-ms

[13:49:27] [*] Unlock queued: C:\Users\ferre\NTUSER.DAT{a2332f18-cdbf-11ec-8680-002248483d79}.TMContainer00000000000000000002.regtrans-ms

[13:49:27] [*] Unlock queued: C:\Users\ferre\ntuser.dat.LOG2

[13:49:27] [*] Unlock queued: C:\Users\ferre\ntuser.dat.LOG1

[13:49:32] [*] Cycle 1, Step 2: 13000 files processed (74 %)

[13:49:32] [*] Speed: 212 MB/sec (8270 MB, elapsed: 39 sec)

[13:49:32] [*] Cycle 1, Step 2: 14000 files processed (80 %)

[13:49:32] [*] Speed: 212 MB/sec (8274 MB, elapsed: 39 sec)

[13:49:32] [*] Cycle 1, Step 2: 15000 files processed (85 %)

[13:49:32] [*] Speed: 212 MB/sec (8291 MB, elapsed: 39 sec)

[13:49:32] [*] Cycle 1, Step 2: 16000 files processed (91 %)

[13:49:32] [*] Speed: 212 MB/sec (8292 MB, elapsed: 39 sec)

[13:49:48] [*] Unlock queued: C:\Users\ferre\AppData\Local\AMD\DxCache\33106ff85698c0950e5c1dcd8dab183fabcea10707dbaf46.bin

[13:49:55] [*] Cycle 1, Step 2: 17000 files processed (97 %)

[13:49:55] [*] Speed: 133 MB/sec (8293 MB, elapsed: 62 sec)

[13:49:55] [*] Final Speed: 134 MB/sec (8318 MB, elapsed: 62 sec)

[13:49:55] [*] Everything EnumResult of priority ext on drive: D:\

[13:49:55] [*] Search mask: <file:><nocase:><path:D:\><ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:49:55] [*] Everything SetSearch...

[13:49:55] [*] Everything SetRequestFlags...

[13:49:55] [*] Everything SetSort...

[13:49:55] [*] Everything Query...

[13:49:57] [*] Total files to encrypt: 301

[13:49:57] [*] Final Speed: 3834 MB/sec (3834 MB, elapsed: 1 sec)

[13:49:57] [*] Everything EnumResult of other ext on drive: D:\

[13:49:57] [*] Search mask: <file:><nocase:><path:D:\><!ext:;exe;386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff>file:<!endwith:exe><!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$RECYCLE.BIN\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\ferre\AppData\Local\0F983A3D-FC63-C07E-6477-E3A5238DEF4B">wholefilename:<!"desktop.ini" !"iconcache.db" !"thumbs.db" !"ntuser.ini" !"boot.ini" !"ntdetect.com" !"ntldr" !"NTUSER.DAT" !"bootmgr" !"BOOTNXT" !"BOOTTGT" !"session.tmp" !"rtmlocker_DECRYPTION.txt"><!size:0>

[13:49:57] [*] Everything SetSearch...

[13:49:57] [*] Everything SetRequestFlags...

[13:49:57] [*] Everything SetSort...

[13:49:57] [*] Everything Query...

[13:49:58] [*] Total files to encrypt: 2686

[13:49:58] [*] Cycle 1, Step 2: 1000 files processed (37 %)

[13:49:58] [*] Speed: 2326 MB/sec (2326 MB, elapsed: 1 sec)

[13:49:58] [*] Cycle 1, Step 2: 2000 files processed (74 %)

[13:49:58] [*] Speed: 3593 MB/sec (3593 MB, elapsed: 1 sec)

[13:49:58] [*] Final Speed: 4532 MB/sec (4532 MB, elapsed: 1 sec)

[13:49:58] [*] Starting search on drive: \\?\Volume{53c3d83f-8af8-4376-b16c-791eec0d5cd3}\

[13:49:58] [*] Starting search on drive: \\?\Volume{ed2c760d-9c10-4768-bb7f-cf7abc08fda3}\

[13:49:58] [*] Everything Scan finished.

[13:49:58] [*] Exiting thread search...

[13:49:58] [*] Added STOP MARKER to local thread.

Edited by quietman7, 22 March 2024 - 07:09 AM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 21 March 2024 - 05:08 AM

What is the actual name of the ransom note?

RTM Locker (Read The Manual Locker) ransomware
RTM Locker Ransomware: In-Depth Analysis, Detection, and Mitigation
Linux version of RTM Locker ransomware targets VMware ESXi servers

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

#3 hibrid0

Topic Starter

Members
5 posts
OFFLINE

Local time:12:45 AM

Posted 21 March 2024 - 09:05 AM

The name note is:
rtmlocker_DECRYPTION.txt

#4 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 21 March 2024 - 09:26 AM

Looking at this line which includes a long string of alpha-numerical characters comprising a PERSONAL DECRYPTION ID with an asterisk (*)

YOUR PERSONAL DECRYPTION ID - 85-Ws1GO20K9PY4_UdCE78b67Uek9DwXHshValgIYDg*exe

...this could be a new variant of N3ww4v3/Mimic Ransomware which has been known to use such a pattern/format and sometimes reported to include a MIMIC_LOG.txt.

Was .exe the file extension appended to the end of your encrypted data files?

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

#5 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 21 March 2024 - 09:36 AM

This is an example of a previous variant with Datadecrypt.txt ransom note which looks very similar to the contents in your note.

Datadecrypt Ransomware!!!

ATTENTION!

YOUR PERSONAL DECRYPTION ID - ENqQi-ydrLn3ueYd_i7UonPJMmTAHsyQFfYAFwt7cQ0*Telegram@datadecrypt

At the moment, your system is not protected.

We can fix it and restore your files.

To get started, send 1-2 small files to decrypt them as proof

You can trust us after opening them

2.Do not use free programs to unlock.

OUR CONTACTS:

Telegram - @datadecrypt

https://t.me/datadecrypt

Your posted rtmlocker_DECRYPTION.txt ransom note content:

Rtmlocker Ransomware!!!

ATTENTION!

YOUR PERSONAL DECRYPTION ID - 85-Ws1GO20K9PY4_UdCE78b67Uek9DwXHshValgIYDg*exe

At the moment, your system is not protected.

We can fix it and restore your files.

To get started, send 1-2 small files to decrypt them as proof

You can trust us after opening them

2.Do not use free programs to unlock.

OUR CONTACTS:

rtmlocker@proton.me

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

#6 hibrid0

Topic Starter

Members
5 posts
OFFLINE

Local time:12:45 AM

Posted 21 March 2024 - 11:49 AM

Anyway to decrypt the info?
If I found a machine where is not rebooted will recover the password from the memory?

#7 Amigo-A

Security specialist and Ransomware expert

Members
3,057 posts
OFFLINE

Gender:Male
Location:Bering Strait
Local time:10:45 AM

Posted 21 March 2024 - 12:19 PM

RTM Locker Description

https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

My site: The Digest "Crypto-Ransomware" + Google Translate

#8 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 21 March 2024 - 12:51 PM

There is no known method that I am aware of to decrypt files encrypted by N3ww4v3/Mimic Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware unless they are leaked or seized & released by authorities.

The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (RSA, AES, Salsa20, ChaCha20, EDA2, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

#9 hibrid0

Topic Starter

Members
5 posts
OFFLINE

Local time:12:45 AM

Posted 21 March 2024 - 01:21 PM

Anyway to unpack this exe files?
The Config file say 1% is encrypted and maximum 2mb per file.
Is possible to unpack the exe file and check the content uncrypted?

I'm trying on virtualmachine, but all I try not work.
I like to unpack infected files and the rtmlocker.exe

Edited by hibrid0, 21 March 2024 - 01:22 PM.

#10 hibrid0

Topic Starter

Members
5 posts
OFFLINE

Local time:12:45 AM

Posted 21 March 2024 - 01:30 PM

No relevant information.

Edited by hibrid0, 21 March 2024 - 02:57 PM.

#11 al1963

Members
1,181 posts
OFFLINE

Local time:12:45 PM

Posted 21 March 2024 - 11:56 PM

Looking at this line which includes a long string of alpha-numerical characters comprising a PERSONAL DECRYPTION ID with an asterisk (*)

YOUR PERSONAL DECRYPTION ID - 85-Ws1GO20K9PY4_UdCE78b67Uek9DwXHshValgIYDg*exe

...this could be a new variant of N3ww4v3/Mimic Ransomware which has been known to use such a pattern/format and sometimes reported to include a MIMIC_LOG.txt.

Was .exe the file extension appended to the end of your encrypted data files?

yes, of course, this is a Mimic in all respects: the content of the ransom note, the log during the encryption process, the composition of the encryptor files, and the characteristic directory where the encryptor files are located.

#12 rivitna

Security Colleague
220 posts
OFFLINE

Gender:Male
Local time:08:45 AM

Posted 22 March 2024 - 12:09 AM

I also think it's a Mimic Ransomware

https://www.virustotal.com/gui/file/8816bf5056a42f20cdd42209bf7553be1bd6d41eef6562976afcddde37b0abff

#13 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 22 March 2024 - 07:08 AM

@hibrid0

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

N3ww4v3/Mimic Ransomware (.n3ww4v3; [random 5-15 char]) Support Topic

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, IT consultants, victims and company representatives who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023