GandCrab 5.2 (19.05.20)

显示全部楼层 · 发表于 2019-5-20 23:01:55

avira解压kill 1 双击APC kill 2

显示全部楼层 · 发表于 2019-5-20 23:02:24

Both were blocked by G DATA.

Suspicious access to your file system has been detected that indicate an encryption Trojan.
The following processes were therefore interrupted by G DATA for security reasons:
----------------------------------------------------------------
C:\Windows\System32\svchost.exe (PID 1164)
C:\Windows\System32\svchost.exe (PID 1032)
C:\Windows\System32\svchost.exe (PID 2976)
C:\Windows\System32\wermgr.exe (PID 6788)
C:\Windows\System32\taskhost.exe (PID 5396)
C:\Windows\System32\DsmUserTask.exe (PID 2960)
C:\Windows\WinStore\WSHost.exe (PID 6524)
C:\Windows\System32\taskhostex.exe (PID 2844)
C:\Windows\System32\sppsvc.exe (PID 1800)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 4092)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 3600)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 6124)
C:\Program Files\Bandizip\Bandizip.exe (PID 7108)
C:\Program Files\Bandizip\Updater.exe (PID 948)
C:\Users\promi\AppData\Local\Temp\BNZ.5ce2bfdd31a673\1.exe (PID 6488)
----------------------------------------------------------------
If blocked, the following programs responsible will be moved to Quarantine:
----------------------------------------------------------------
C:\Users\promi\AppData\Local\Temp\BNZ.5ce2bfdd31a673\1.exe
----------------------------------------------------------------
Detected suspicious activities:
----------------------------------------------------------------
Created: C:\Users\promi\AppData\HQBZWHXEV-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\HQBZWHXEV-MANUAL.txt
Created: C:\LeakHotfix\HQBZWHXEV-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\Program Files\HQBZWHXEV-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\Program Files (x86)\HQBZWHXEV-MANUAL.txt
Created: C:\Users\promi\AppData\Local\Temp\DMIE3C4.tmp
Created: C:\Users\promi\AppData\Local\Temp\DMIE3C4.tmp.log.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_9b7b96e7449d9b89f8a366d8a7931ec83e213_00000000_cab_0bbfe441\DMIE3C4.tmp.log.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_9b7b96e7449d9b89f8a366d8a7931ec83e213_00000000_cab_0bbfe441\Report.wer
Created: C:\Windows\SoftwareDistribution\Download\b2f1109cd6afa55900702fafa43c67fa\BlockMap.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\INetCookies\container.dat
----------------------------------------------------------------
The user blocked access.

复制代码

Suspicious access to your file system has been detected that indicate an encryption Trojan.
The following processes were therefore interrupted by G DATA for security reasons:
----------------------------------------------------------------
C:\Windows\System32\svchost.exe (PID 1164)
C:\Windows\System32\svchost.exe (PID 1032)
C:\Users\promi\AppData\Local\Temp\BNZ.5ce2c00b325a13\2.exe (PID 5036)
C:\Windows\System32\svchost.exe (PID 2976)
C:\Windows\System32\wermgr.exe (PID 6788)
C:\Windows\System32\taskhost.exe (PID 5396)
C:\Windows\System32\DsmUserTask.exe (PID 2960)
C:\Windows\WinStore\WSHost.exe (PID 6524)
C:\Windows\System32\taskhostex.exe (PID 2844)
C:\Windows\System32\sppsvc.exe (PID 1800)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 4092)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 3600)
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe (PID 6124)
C:\Program Files\Bandizip\Bandizip.exe (PID 7108)
C:\Program Files\Bandizip\Updater.exe (PID 948)
C:\Users\promi\AppData\Local\Temp\BNZ.5ce2bfdd31a673\1.exe (PID 6488)
C:\Program Files\Bandizip\Bandizip.exe (PID 4712)
----------------------------------------------------------------
If blocked, the following programs responsible will be moved to Quarantine:
----------------------------------------------------------------
C:\Users\promi\AppData\Local\Temp\BNZ.5ce2bfdd31a673\1.exe
----------------------------------------------------------------
Detected suspicious activities:
----------------------------------------------------------------
Created: C:\Users\promi\AppData\CMCWHNHQ-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\CMCWHNHQ-MANUAL.txt
Created: C:\LeakHotfix\CMCWHNHQ-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\Program Files\CMCWHNHQ-MANUAL.txt
Created: C:\Users\promi\AppData\Local\VirtualStore\Program Files (x86)\CMCWHNHQ-MANUAL.txt
Created: C:\Users\promi\AppData\Local\Temp\DMIE3C4.tmp
Created: C:\Users\promi\AppData\Local\Temp\DMIE3C4.tmp.log.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_9b7b96e7449d9b89f8a366d8a7931ec83e213_00000000_cab_0bbfe441\DMIE3C4.tmp.log.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_9b7b96e7449d9b89f8a366d8a7931ec83e213_00000000_cab_0bbfe441\Report.wer
Created: C:\Windows\SoftwareDistribution\Download\b2f1109cd6afa55900702fafa43c67fa\BlockMap.xml
Created: C:\Users\promi\AppData\Local\Microsoft\Windows\INetCookies\container.dat
----------------------------------------------------------------
The user blocked access.

复制代码

显示全部楼层 · 发表于 2019-5-20 23:11:17

智量Heur清空，火绒miss all，有空双击。。

显示全部楼层 · 发表于 2019-5-20 23:12:59

安天智甲、管家无BD，均MISS 。

显示全部楼层 · 发表于 2019-5-20 23:15:40

瑞星安全云kill all

双击被加密

显示全部楼层 · 发表于 2019-5-20 23:20:52

www-tekeze 发表于 2019-5-20 23:11
智量Heur清空，火绒miss all，有空双击。。

退出火绒，关闭智量监控，两个都被主防杀。。

显示全部楼层 · 发表于 2019-5-20 23:21:27

显示全部楼层 · 发表于 2019-5-20 23:37:44

www-tekeze 发表于 2019-5-20 23:11
智量Heur清空，火绒miss all，有空双击。。

退出智量，双击第一个弹窗就报勒索，两个样本情况相同。。

PS：开启勒索诱捕。

显示全部楼层 · 发表于 2019-5-21 04:15:29

McAfee Kill All

显示全部楼层 · 发表于 2019-5-21 09:22:06

avast 今早已经是2个解压出来就都杀了

[病毒样本] GandCrab 5.2 (19.05.20)

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源