�� esetnod32.ru [��: �� .e-mail.ID*]

�� .e-mail.ID*

Wed, 04 Oct 2017 11:31:11 +0300

�� .e-mail.ID* ��, RSAUtil � �� .

====quote====
�� :
�� ?
=============
support@esetnod32.ru
�� ,
�� infected, �� , �� , �� ESET log collector, �� .
04.10.2017 11:31:11, santy.

�� .e-mail.ID*

Wed, 04 Oct 2017 11:23:01 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� ???
04.10.2017 11:23:01, �� .

�� .e-mail.ID*

Wed, 04 Oct 2017 10:51:43 +0300

�� .e-mail.ID* ��, RSAUtil � �� .

====quote====
�� :
��, �� . �� 32 �� . �� Win8.1 pro �� .
=============
��, �� . �� , � �� eset.
04.10.2017 10:51:43, santy.

�� .e-mail.ID*

Wed, 04 Oct 2017 10:29:32 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��, �� . �� 32 �� . �� Win8.1 pro �� .
04.10.2017 10:29:32, �� .

�� .e-mail.ID*

Mon, 11 Sep 2017 12:45:48 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��. ��.
11.09.2017 12:45:48, Andrey Yakyshev.

�� .e-mail.ID*

Mon, 11 Sep 2017 12:41:40 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� ,
�� . �� , �� - �� .
11.09.2017 12:41:40, santy.

�� .e-mail.ID*

Mon, 11 Sep 2017 12:35:55 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��
FIDJI_2017-09-11_12-26-02.rar
11.09.2017 12:35:55, Andrey Yakyshev.

�� .e-mail.ID*

Mon, 11 Sep 2017 12:06:59 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� IDRansomware

====quote====
��

ransomnote_filename: How_return_files.txt
ransomnote_email: bene556@gmx.de
sample_extension: ..ID
=============

�� RSAUtil Ransomware
�� .
��
https://www.bleepingcomputer.com/forums/t/646245/rsautil-ransomware-help-topic-how-return-filestxt-helppmeindiacom/
11.09.2017 12:06:59, santy.

�� .e-mail.ID*

Mon, 11 Sep 2017 12:02:41 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� :
(�� , �� .)

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.0.10 [http://dsrt.dyndns.org]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
zoo %SystemDrive%\USERS\����\PICTURES\SVDHOST.EXE
zoo %SystemDrive%\USERS\����\APPDATA\ROAMING\MIICROSOFT\ST.BAT
;------------------------autoscript---------------------------

delall %SystemDrive%\USERS\����\APPDATA\LOCAL\TEMP\RARSFX5\1.VBS
delall %SystemDrive%\USERS\����\APPDATA\ROAMING\MIICROSOFT\ST.BAT
zoo %SystemDrive%\USERS\����\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\MICROSOFT OPERATING SYSTEM.EXE
addsgn A7679BF0AA0234BA4AD4C6F1F1891261848AFCF689AA7BF1A0C3C5BC50559D24704194DE5BBDAE92A2DD78F544E95C16DC9EE82BD6D738076F775BACCA8A0931 8 Win64/CoinMiner 7

zoo %SystemDrive%\USERS\����\APPDATA\ROAMING\MICROSOFT\WINDOWS\TEMPLATES\SVCHOST.EXE
addsgn BA6F9BB2BD994D720B9C2D754C21F8F9DA7503D3B5E41F787AE623A250D68E69CB09C357C17077572B8048530E95A5D23554E9F36DB9C341CD0288ACBF1E2606 8 TR/Drop.Agent.CE.10 7

addsgn BA6F9BB2BD994D720B9C2D754C21F8F9DA7503D3B5E41F787AE623A250D68E69CB09C357C17077572B8048530E95A5D23554E9F36DB9C341CD0288ACBF1E2606 8 Win64/CoinMiner 7

zoo %SystemDrive%\USERS\����\APPDATA\ROAMING\MIICROSOFT\RAN.EXE
addsgn 9AC0769A55024C720BD4C6E5508912ED79CAFCF60A3E131085C3C5BCB883314C23B49B637F55F5492B8084F7460649FA15DFE8725532F26C2D77077BF347229B 8 miner 7

addsgn A7679BF0AA02B4D14BD4C6B1FA881261848AFCF689AA7BF1A0C3C5BC50559D24704194DE5BBDAE92A2DD78F544E95CE6DC9FE82BD6D7E0FD6C775BACCA52F332 8 miner 7

chklst
delvir

delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DEFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ%26INSTALLSOURCE%3DONDEMAND%26UC
apply

deltmp
delref %SystemRoot%\SYSWOW64\SPOOL\DRIVERS\X64\3\CNAP3LAK.EXE
delref %SystemDrive%\USERS\����\APPDATA\ROAMING\MIICROSOFT\SSSSS.VBS
delref %SystemDrive%\USERS\����\APPDATA\ROAMING\MIICROSOFT\AAA.VBS
delref %SystemDrive%\USERS\671D~1\APPDATA\LOCAL\TEMP\CHROME_BITS_4928_8768\26.0.0.151_WIN64_PEPPERFLASHPLAYER.CRX3
delref %SystemDrive%\USERS\ANDREY\APPDATA\LOCAL\TEMP\CHROME_BITS_4808_27597\26.0.0.151_WIN64_PEPPERFLASHPLAYER.CRX3
delref %SystemDrive%\USERS\ANDREY\APPDATA\LOCAL\TEMP\CHROME_BITS_6272_2413\505_ALL_STHSET.CRX3
delref %SystemDrive%\USERS\IRINA\APPDATA\LOCAL\TEMP\CHROME_BITS_4240_6332\498_ALL_STHSET.CRX3
delref D:\�������\�����\SLS-SKLAD\SLS-SKLAD\MONITOR.EXE
delref A9A33436-678B-4C9C-A211-7CC38785E79D\[CLSID]
delref {23E5D772-327A-42F5-BDEE-C65C6796BB2A}\[CLSID]
delref {177AFECE-9599-46CF-90D7-68EC9EEB27B4}\[CLSID]
delref {CEF51277-5358-477B-858C-4E14F0C80BF7}\[CLSID]
delref {59116E30-02BD-4B84-BA1E-5D77E809B1A2}\[CLSID]
delref %SystemDrive%\VIRTUAL MACHINES\WINDOWS7\WINDOWS7.VMX
delref {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\[CLSID]
delref {166B1BCA-3F9C-11CF-8075-444553540000}\[CLSID]
delref {233C1507-6A77-46A4-9443-F871F945D258}\[CLSID]
delref {4063BE15-3B08-470D-A0D5-B37161CFFD69}\[CLSID]
delref {8AD9C840-044E-11D1-B3E9-00805F499D93}\[CLSID]
delref {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}\[CLSID]
delref {D27CDB6E-AE6D-11CF-96B8-444553540000}\[CLSID]
delref %SystemDrive%\PROGRAM FILES (X86)\YOTA\YOTA ACCESS (MODEMS)\YOTAACCESS.EXE
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\[CLSID]
delref %Sys32%\MSSPELLCHECKINGFACILITY.DLL
delref %Sys32%\BLANK.HTM
delref %Sys32%\DRIVERS\NMPAR.SYS
delref %Sys32%\DRIVERS\NMSERIAL.SYS
delref %Sys32%\PSXSS.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.3\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.32.7\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.30.3\PSMACHINE_64.DLL
delref %Sys32%\SHAREMEDIACPL.CPL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.31.5\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.29.5\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.3\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.32.7\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.30.3\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\ACRORD32INFO.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.31.5\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.29.5\PSMACHINE.DLL
delref E:\AUTOINSTALL.EXE
delref D:\SETUP.EXE
delref D:\�������\�����\SLS-SKLAD\SKLAD_W.EXE
;-------------------------------------------------------------

restart
czoo

=============
��, �� .
------------
11.09.2017 12:02:41, santy.

�� .e-mail.ID*

Mon, 11 Sep 2017 11:49:14 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��
FIDJI_2017-09-11_11-26-43.rar
How_return_files.txt
11.09.2017 11:49:14, Andrey Yakyshev.

�� .e-mail.ID*

Mon, 11 Sep 2017 04:41:38 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
@Andrey Yakyshev,
�� , �� , �� .
+
�� .
11.09.2017 04:41:38, santy.

�� .e-mail.ID*

Sun, 10 Sep 2017 18:17:40 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� !
�� .
�� ?
�� Nod32 �� ?

�� - �� , �� .
0031001.rar
10.09.2017 18:17:40, Andrey Yakyshev.

�� .e-mail.ID*

Tue, 16 May 2017 13:28:41 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��,
��

====quote====
Identified by

ransomnote_filename: How_return_files.txt
sample_extension: ..ID

Click here for more information about RSAUtil

=============
�� . RSAUtil
https://www.bleepingcomputer.com/forums/t/646245/rsautil-ransomware-help-topic-how-return-filestxt-helppmeindiacom/

�� .

�� , �� , �� .
16.05.2017 13:28:41, santy.

�� .e-mail.ID*

Tue, 16 May 2017 11:54:36 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� , �� (�� IE11 � �� ).
How_return_files.txt
16.05.2017 11:54:36, ��.

�� .e-mail.ID*

Tue, 16 May 2017 05:45:23 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��,
�� How_return_files.txt
16.05.2017 05:45:23, santy.

�� .e-mail.ID*

Mon, 15 May 2017 19:14:40 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
� �� How_return_files.txt �� :

Your documents, photos, databases, save games and other important data was encrypted.
Data recovery the necessary interpreter.
To get the interpreter, should send an email to bm-2cv8unfeqfpyrfcxcmaehb5977kt8nazpn@bitmessage.ch
In a letter to include Your personal ID (see the beginning of this document).

Attention!
* Do not attempt to remove a program or run the anti-virus tools
* Attempts to decrypt the files will lead to loss of Your data
* Decoders other users is incompatible with Your data, as each user
unique encryption key

�� , �� , �� . � �� ID, � �� .

�� , �� -��, �� , �� .
15.05.2017 19:14:40, ��.

�� .e-mail.ID*

Mon, 15 May 2017 18:40:12 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
��,
�� ?

�� , �� . �� .
15.05.2017 18:40:12, santy.

�� .e-mail.ID*

Mon, 15 May 2017 18:17:39 +0300

�� .e-mail.ID* ��, RSAUtil � �� .
�� ! �� (�� ), �� .some@mail.ru.ID16035194, �� , �� , �� . ID �� , �� , �� . �� Kaspersky Removal Tool �� Trojan-Ransom.Win32.Agent.iyp, �� . Nod32 4.2.76.1 ��, � �� . �� -�� , �� ? �� .

-----------
�� , �� RSAUtil �� support@esetnod32.ru
�� .rar
15.05.2017 18:17:39, �� .

����� esetnod32.ru [����: ����������� ����� � ����������� .e-mail.ID*]

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

����������� ����� � ����������� .e-mail.ID*

�� esetnod32.ru [��: �� .e-mail.ID*]

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*

�� .e-mail.ID*