楼主: zhou0197
收起左侧

[病毒样本] 远控一枚,玩法随意,调戏亦可……需要骗子QQ的可以PM

  [复制链接]
追影子的十三
发表于 2017-1-9 21:00:59 | 显示全部楼层
过FS扫描
诸葛亮
发表于 2017-1-9 21:07:58 | 显示全部楼层
Filename: syntphelpersview.exe
Threat name: SONAR.Heuristic.158Full Path: Not Available

____________________________

____________________________


On computers as of 
2017/1/9 at 21:06:46

Last Used 
2017/1/9 at 21:06:46

Startup Item 
No

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


syntphelpersview.exe Threat name: SONAR.Heuristic.158
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
google.com

File Created:
syntphelpersview.exe

____________________________

File Actions

File: c:\sandbox\m\defaultbox\user\all\microsoft dementias\ syntphelpersview.exe Threat Removed
File: c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\ google.com Threat Removed
File: c:\sandbox\m\defaultbox\user\all\ qdeskpath.ini Threat Removed
File: c:\sandbox\m\defaultbox\user\current\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\ qdeskpath.ini Threat Removed
File: c:\sandbox\m\defaultbox\user\all\ config.dat Threat Removed
File: c:\sandbox\m\defaultbox\user\current\appdata\roaming\ qq截圖20170109e61da404e6d.jpg Threat Removed
File: c:\sandbox\m\defaultbox\user\all\nvidia corporation\drs\ nvdrssel.bin Threat Removed
File: c:\sandbox\m\defaultbox\user\all\nvidia corporation\drs\ nvapptimestamps Threat Removed
Directory: c:\sandbox\m\defaultbox\user\all\ microsoft dementias Threat Removed
Directory: c:\Sandbox\M\defaultbox\user\all\ QQGame Delete Failed
____________________________

Registry Actions

Registry change: HKEY_USERS\Sandbox_M_DefaultBox\MACHINE\SOFTWARE\ WOW6432Node, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\machine\software\microsoft\Windows\CurrentVersion\Explorer\SyncRootManager\ OneDrive!S-1-5-21-3354391888-1156723752-2331256929-1001!Personal, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\Machine\SOFTWARE\Policies\Microsoft\Windows\ Appx, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\ AppModelUnlock, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap->ProxyBypass:1, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap->IntranetName:1, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap->UNCAsIntranet:1, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap->AutoDetect:0, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\machine\system\CurrentControlSet\Control\ NetworkProvider, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\machine\SOFTWARE\ NVIDIA Corporation, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ ICM, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\MACHINE\Software\Microsoft\ WindowsRuntime, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\ MMDevices, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ Desktop, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ {018D5C66-4533-4307-9B53-224DE2ED1FE6}, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ DelegateFolders, Registry Hive: 64 bit Threat Removed
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Tencent\ QQPinyin->SkinGUIDMini:10000000-0000-0000-0000-000000000001, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\software\Tencent\ QQPinyin->SkinFileNameMini, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\Sandbox_M_DefaultBox\user\current\SOFTWARE\Microsoft\ Windows Photo Viewer, Registry Hive: 64 bit Threat Removed
____________________________

Network Actions

Event: Network activity (Performed by c:\sandbox\m\defaultbox\user\all\microsoft dementias\syntphelpersview.exe, PID:2696) No action taken
____________________________

System Settings Actions

Event: Process start (Performed by c:\sandbox\m\defaultbox\user\all\microsoft dementias\syntphelpersview.exe, PID:2696) No action taken
(Performed by c:\sandbox\m\defaultbox\user\all\microsoft dementias\syntphelpersview.exe, PID:2696) No action taken
Event: Process start: c:\sandbox\m\defaultbox\user\all\microsoft dementias\ syntphelpersview.exe, PID:2696 (Performed by c:\sandbox\m\defaultbox\user\all\microsoft dementias\syntphelpersview.exe, PID:2696) No action taken
Event: Process start (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:6948) No action taken
(Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:6948) No action taken
Event: Process start: c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\ google.com, PID:6948 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:6948) No action taken
Event: Process start (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: PE file creation: c:\sandbox\m\defaultbox\user\all\microsoft dementias\ syntphelpersview.exe (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
(Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: Process start: c:\Windows\SysWOW64\ rundll32.exe, PID:7192 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: PE file creation: c:\Sandbox\M\defaultbox\user\all\ Link.exe (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: PE file creation: c:\Sandbox\M\defaultbox\user\all\QQGame\ QQGame.exe (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: Process start: c:\Sandbox\M\defaultbox\user\all\QQGame\ QQGame.exe, PID:5056 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: Process start: c:\sandbox\m\defaultbox\user\all\microsoft dementias\ syntphelpersview.exe, PID:2696 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: Process start: c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\ google.com, PID:1512 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
Event: Process start: c:\program files (x86)\Tencent\QQPinyin\5.4.3311.400\ qqpyservice.exe, PID:4804 (Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:1512) No action taken
____________________________

Suspicious Actions

(Performed by c:\users\m\desktop\剑灵官方最新价格表\剑灵官方最新价格表\dat\google.com, PID:6948) No action taken
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
xu3160668
发表于 2017-1-9 21:14:12 | 显示全部楼层

双击一定会被过
llcy
发表于 2017-1-9 21:32:30 | 显示全部楼层
360 kill
vm001
发表于 2017-1-9 21:36:36 | 显示全部楼层


文件免杀360以后,行为拦截报毒

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
347636681
头像被屏蔽
发表于 2017-1-9 21:46:33 | 显示全部楼层
青衣染雪 发表于 2017-1-9 20:50
火绒主防对这类有奇效

这不是主防
347636681
头像被屏蔽
发表于 2017-1-9 21:46:49 | 显示全部楼层
No_Virus 发表于 2017-1-9 20:48
火绒 双击行为报毒

只是拉黑了文件而已
347636681
头像被屏蔽
发表于 2017-1-9 21:47:45 | 显示全部楼层
vm001 发表于 2017-1-9 21:36
文件免杀360以后,行为拦截报毒

从哪里地方看出来是行为报毒的?
vm001
发表于 2017-1-9 21:48:41 | 显示全部楼层
347636681 发表于 2017-1-9 21:46
只是拉黑了文件而已

你懂个毛线,这是真真切切的行为模式报毒
青衣染雪
发表于 2017-1-9 21:49:11 | 显示全部楼层
347636681 发表于 2017-1-9 21:46
只是拉黑了文件而已

您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-28 17:41 , Processed in 0.112584 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表