魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-03-23 22:02:32 | 2018-03-23 22:05:06 | 154 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2018-03-23 22:02:48 | 2018-03-23 22:05:05 |
| 魔盾分数 |
|---|
1.35正常的 |
文件详细信息
| 文件名 | gcway.dll |
|---|---|
| 文件大小 | 5423560 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| CRC32 | 5069BD98 |
| MD5 | dcbbc361458490199fb4ceabab7a7af8 |
| SHA1 | 075bf4d6e25edab83b355b04388645d2a740b6ac |
| SHA256 | f73d3fb4c86e94318591ca1aad83337ca97af952fc5a26421978c16b87b3f6ac |
| SHA512 | 738f43cd1be842a046438791a06978e395ca9da694d6db5135c462fdfb3472d525cea40fdb4802f95bc3dc2f2613fbf41f254ddc50d8f821abee041966b91bbd |
| Ssdeep | 98304:03xre9SxpUsVuPbP3PMhDDJ8+7wkkmAIdlp4kHQPJwGb:kxDxpUsGbvP098ICPIdlLHJGb |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2018-03-11 04:00:15 扫描结果: 0/66 |
特征
样本的签名证书合法
发起了一些HTTP请求
url: http://101.96.10.73/crl.microsoft.com/pki/crl/products/tspca.crl
创建RWX内存
非常规的二进制语言: Portuguese (Brazil)
二进制文件可能包含加密或压缩数据
section: name: .ddata1, entropy: 7.95, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00527600, virtual_size: 0x00527500
尝试阻止Cuckoo线程以防止恶意行为被记录
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 是 | 101.96.10.73 | China |
| 否 | 117.18.237.29 | Asia/Pacific Region |
域名解析
| 域名 | 响应 |
|---|---|
| ocsp.digicert.com |
CNAME cs9.wac.phicdn.net
A 117.18.237.29 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 101.96.10.73 | 80 |
| 117.18.237.29 | 80 |
| 117.18.237.29 | 80 |
| 205.197.140.145 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRm%2FrYSaqNr0YBIv29H4pMHhv2XmQQUl0gD6xUIa7myWCPMlC7xxmXSZI4CEAbjDLmGOieH%2FRnXGniJRSQ%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRm%2FrYSaqNr0YBIv29H4pMHhv2XmQQUl0gD6xUIa7myWCPMlC7xxmXSZI4CEAbjDLmGOieH%2FRnXGniJRSQ%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
| http://crl.microsoft.com/pki/crl/products/tspca.crl | GET /pki/crl/products/tspca.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT If-None-Match: "8ab194b3d77cf1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com |
| http://101.96.10.73/crl.microsoft.com/pki/crl/products/tspca.crl | GET /crl.microsoft.com/pki/crl/products/tspca.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT If-None-Match: "8ab194b3d77cf1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: 101.96.10.73 |
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D HTTP/1.1 Cache-Control: max-age = 172800 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 02 Sep 2017 10:30:03 GMT If-None-Match: "59aa882b-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
静态分析
PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x10944117 |
| 声明校验值 | 0x0052cc18 |
| 实际校验值 | 0x0052cc18 |
| 最低操作系统版本要求 | 5.1 |
| 编译时间 | 2018-01-26 04:35:34 |
| 载入哈希 | 0f81b2a81cb9f02069932fdb16090ac8 |
| 导出DLL库名称 | GCWay.dll |
版本信息
| LegalCopyright: | Copyright (C) 2017 |
| InternalName: | Grandchase |
| FileVersion: | 1.2.5.0 |
| CompanyName: | Grand Chase Way |
| ProductName: | Grand Chase Way |
| ProductVersion: | 1.0.0.0 |
| FileDescription: | Grand Chase Way |
| OriginalFilename: | Grandchase.exe |
| Translation: | 0x0416 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000e379c | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x000e5000 | 0x00042af4 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x00128000 | 0x00065a48 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .ddata0 | 0x0018e000 | 0x003c5aa8 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .ddata1 | 0x00554000 | 0x00527500 | 0x00527600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.95 |
| .reloc | 0x00a7c000 | 0x000007c0 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.42 |
| .rsrc | 0x00a7d000 | 0x00000598 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.24 |
覆盖
| 偏移量: | 0x00528800 |
| 大小: | 0x000039c8 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x00a7d0a0 | 0x000002d4 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.37 | data |
| RT_MANIFEST | 0x00a7d374 | 0x00000224 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.04 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators |
导入
库 GDI32.dll:
• 0x10948000 - ChoosePixelFormat
• 0x10948004 - CreateDCA
• 0x10948008 - StretchBlt
• 0x1094800c - DeleteDC
• 0x10948010 - SetPixelFormat
库 PSAPI.DLL:
• 0x10948018 - EnumProcessModules
• 0x1094801c - GetProcessImageFileNameW
• 0x10948020 - GetModuleFileNameExA
库 gdiplus.dll:
• 0x10948028 - GdipGetImageEncodersSize
• 0x1094802c - GdipCloneImage
• 0x10948030 - GdipSaveImageToFile
• 0x10948034 - GdipCreateBitmapFromScan0
• 0x10948038 - GdipGetImageEncoders
• 0x1094803c - GdipFree
• 0x10948040 - GdipAlloc
• 0x10948044 - GdipDeleteBrush
• 0x10948048 - GdipCloneBrush
• 0x1094804c - GdipCreateSolidFill
• 0x10948050 - GdipDisposeImage
• 0x10948054 - GdipGetImageGraphicsContext
• 0x10948058 - GdipDeleteGraphics
• 0x1094805c - GdipGetDC
• 0x10948060 - GdipReleaseDC
• 0x10948064 - GdiplusStartup
• 0x10948068 - GdipSetCompositingQuality
• 0x1094806c - GdiplusShutdown
• 0x10948070 - GdipFillRectangleI
库 urlmon.dll:
• 0x10948078 - URLDownloadToFileW
库 WS2_32.dll:
• 0x10948080 - WSAGetLastError
• 0x10948084 - WSASetLastError
• 0x10948088 - closesocket
• 0x1094808c - setsockopt
• 0x10948090 - WSASend
• 0x10948094 - getaddrinfo
• 0x10948098 - freeaddrinfo
• 0x1094809c - htonl
• 0x109480a0 - WSACleanup
• 0x109480a4 - ioctlsocket
• 0x109480a8 - connect
• 0x109480ac - WSAStartup
• 0x109480b0 - inet_ntoa
• 0x109480b4 - ntohl
• 0x109480b8 - getsockopt
• 0x109480bc - WSAIoctl
• 0x109480c0 - bind
• 0x109480c4 - getsockname
• 0x109480c8 - WSARecv
• 0x109480cc - listen
• 0x109480d0 - accept
• 0x109480d4 - select
• 0x109480d8 - __WSAFDIsSet
• 0x109480dc - WSASocketW
库 OPENGL32.dll:
• 0x109480e4 - wglDeleteContext
• 0x109480e8 - wglMakeCurrent
• 0x109480ec - wglCreateContext
• 0x109480f0 - glGetString
库 ntdll.dll:
• 0x109480f8 - RtlAdjustPrivilege
• 0x109480fc - NtRaiseHardError
• 0x10948100 - NtShutdownSystem
• 0x10948104 - NtSetSystemPowerState
• 0x10948108 - RtlUnwind
• 0x1094810c - VerSetConditionMask
库 USER32.dll:
• 0x10948114 - wsprintfW
• 0x10948118 - EnumDisplayDevicesA
• 0x1094811c - EnumDisplayMonitors
• 0x10948120 - GetSystemMetrics
• 0x10948124 - GetMonitorInfoA
• 0x10948128 - UnionRect
• 0x1094812c - MessageBoxA
库 ole32.dll:
• 0x10948134 - CoCreateInstance
• 0x10948138 - CoUninitialize
• 0x1094813c - CoSetProxyBlanket
• 0x10948140 - CoInitialize
• 0x10948144 - CoInitializeEx
库 OLEAUT32.dll:
• 0x1094814c - VariantClear
• 0x10948150 - SysAllocString
• 0x10948154 - SysFreeString
• 0x10948158 - VariantInit
库 iphlpapi.dll:
• 0x10948160 - GetInterfaceInfo
• 0x10948164 - GetIpAddrTable
• 0x10948168 - GetIpForwardTable
• 0x1094816c - GetAdaptersAddresses
• 0x10948170 - GetNetworkParams
库 ADVAPI32.dll:
• 0x10948178 - RegEnumKeyExA
• 0x1094817c - QueryServiceStatus
• 0x10948180 - RegQueryInfoKeyA
• 0x10948184 - RegSetValueExA
• 0x10948188 - RegCreateKeyExA
• 0x1094818c - RegOpenKeyExA
• 0x10948190 - SetKernelObjectSecurity
• 0x10948194 - ConvertStringSecurityDescriptorToSecurityDescriptorA
• 0x10948198 - OpenProcessToken
• 0x1094819c - AdjustTokenPrivileges
• 0x109481a0 - LookupPrivilegeValueA
• 0x109481a4 - ControlService
• 0x109481a8 - StartServiceA
• 0x109481ac - DeleteService
• 0x109481b0 - OpenServiceW
• 0x109481b4 - CloseServiceHandle
• 0x109481b8 - CreateServiceW
• 0x109481bc - OpenSCManagerA
• 0x109481c0 - RegOpenKeyA
• 0x109481c4 - RegQueryValueExA
• 0x109481c8 - RegCloseKey
库 KERNEL32.dll:
• 0x109481d0 - GetModuleFileNameA
• 0x109481d4 - ReadConsoleW
• 0x109481d8 - GetConsoleMode
• 0x109481dc - ReadFile
• 0x109481e0 - GetOEMCP
• 0x109481e4 - GetACP
• 0x109481e8 - IsValidCodePage
• 0x109481ec - HeapSize
• 0x109481f0 - EnumSystemLocalesW
• 0x109481f4 - GetUserDefaultLCID
• 0x109481f8 - IsValidLocale
• 0x109481fc - GetLocaleInfoW
• 0x10948200 - LCMapStringW
• 0x10948204 - CompareStringW
• 0x10948208 - GetTimeFormatW
• 0x1094820c - GetDateFormatW
• 0x10948210 - SetEnvironmentVariableA
• 0x10948214 - GetCPInfo
• 0x10948218 - UnregisterWait
• 0x1094821c - RegisterWaitForSingleObject
• 0x10948220 - SetThreadAffinityMask
• 0x10948224 - GetProcessAffinityMask
• 0x10948228 - GetNumaHighestNodeNumber
• 0x1094822c - DeleteTimerQueueTimer
• 0x10948230 - WriteFile
• 0x10948234 - CreateTimerQueueTimer
• 0x10948238 - GetLogicalProcessorInformation
• 0x1094823c - SwitchToThread
• 0x10948240 - SignalObjectAndWait
• 0x10948244 - WaitForSingleObjectEx
• 0x10948248 - QueryDepthSList
• 0x1094824c - InterlockedFlushSList
• 0x10948250 - InterlockedPushEntrySList
• 0x10948254 - InterlockedPopEntrySList
• 0x10948258 - CreateTimerQueue
• 0x1094825c - GetEnvironmentStringsW
• 0x10948260 - CreateSemaphoreW
• 0x10948264 - GetModuleHandleW
• 0x10948268 - GetStartupInfoW
• 0x1094826c - TerminateProcess
• 0x10948270 - SetUnhandledExceptionFilter
• 0x10948274 - UnhandledExceptionFilter
• 0x10948278 - RaiseException
• 0x1094827c - WriteConsoleW
• 0x10948280 - GetModuleHandleExW
• 0x10948284 - GetModuleFileNameW
• 0x10948288 - GetFileType
• 0x1094828c - GetStdHandle
• 0x10948290 - IsDebuggerPresent
• 0x10948294 - LoadLibraryExW
• 0x10948298 - ExitThread
• 0x1094829c - GetCommandLineA
• 0x109482a0 - GetStringTypeW
• 0x109482a4 - DecodePointer
• 0x109482a8 - EncodePointer
• 0x109482ac - GetSystemTimeAsFileTime
• 0x109482b0 - AreFileApisANSI
• 0x109482b4 - GetFileAttributesExW
• 0x109482b8 - FindNextFileW
• 0x109482bc - FindFirstFileExW
• 0x109482c0 - FindClose
• 0x109482c4 - GetConsoleCP
• 0x109482c8 - SetFilePointerEx
• 0x109482cc - FlushFileBuffers
• 0x109482d0 - HeapReAlloc
• 0x109482d4 - OutputDebugStringW
• 0x109482d8 - FreeLibrary
• 0x109482dc - FreeLibraryAndExitThread
• 0x109482e0 - ReleaseSemaphore
• 0x109482e4 - InitializeSListHead
• 0x109482e8 - UnregisterWaitEx
• 0x109482ec - GetVersionExW
• 0x109482f0 - GetTimeZoneInformation
• 0x109482f4 - SetStdHandle
• 0x109482f8 - SetEndOfFile
• 0x109482fc - FormatMessageA
• 0x10948300 - LocalFree
• 0x10948304 - lstrlenA
• 0x10948308 - FreeEnvironmentStringsW
• 0x1094830c - ChangeTimerQueueTimer
• 0x10948310 - GetWindowsDirectoryW
• 0x10948314 - GetProcAddress
• 0x10948318 - GetModuleHandleA
• 0x1094831c - GetPrivateProfileIntA
• 0x10948320 - CreateThread
• 0x10948324 - ExitProcess
• 0x10948328 - Sleep
• 0x1094832c - VirtualProtect
• 0x10948330 - GetCurrentProcessId
• 0x10948334 - CreateToolhelp32Snapshot
• 0x10948338 - Process32First
• 0x1094833c - Process32Next
• 0x10948340 - CloseHandle
• 0x10948344 - OpenProcess
• 0x10948348 - WaitForSingleObject
• 0x1094834c - VirtualQuery
• 0x10948350 - WideCharToMultiByte
• 0x10948354 - GetTickCount
• 0x10948358 - lstrcpyW
• 0x1094835c - WritePrivateProfileStringA
• 0x10948360 - GetSystemInfo
• 0x10948364 - IsProcessorFeaturePresent
• 0x10948368 - OutputDebugStringA
• 0x1094836c - GetLastError
• 0x10948370 - TlsFree
• 0x10948374 - TlsAlloc
• 0x10948378 - UnmapViewOfFile
• 0x1094837c - GetCurrentDirectoryW
• 0x10948380 - GetCurrentDirectoryA
• 0x10948384 - CreateFileW
• 0x10948388 - QueryDosDeviceW
• 0x1094838c - IsWow64Process
• 0x10948390 - GetCurrentProcess
• 0x10948394 - DeviceIoControl
• 0x10948398 - GetWindowsDirectoryA
• 0x1094839c - CreateDirectoryA
• 0x109483a0 - DeleteFileA
• 0x109483a4 - SetEvent
• 0x109483a8 - CreateFileMappingA
• 0x109483ac - MapViewOfFile
• 0x109483b0 - CreateEventA
• 0x109483b4 - LeaveCriticalSection
• 0x109483b8 - EnterCriticalSection
• 0x109483bc - PostQueuedCompletionStatus
• 0x109483c0 - CreateProcessA
• 0x109483c4 - CreateIoCompletionPort
• 0x109483c8 - DeleteCriticalSection
• 0x109483cc - InitializeCriticalSectionAndSpinCount
• 0x109483d0 - VerifyVersionInfoA
• 0x109483d4 - QueueUserAPC
• 0x109483d8 - TerminateThread
• 0x109483dc - WaitForMultipleObjects
• 0x109483e0 - GetQueuedCompletionStatus
• 0x109483e4 - SetWaitableTimer
• 0x109483e8 - SetLastError
• 0x109483ec - TlsSetValue
• 0x109483f0 - TlsGetValue
• 0x109483f4 - SleepEx
• 0x109483f8 - CreateEventW
• 0x109483fc - DeleteFileW
• 0x10948400 - MultiByteToWideChar
• 0x10948404 - LoadLibraryW
• 0x10948408 - GetLogicalDriveStringsW
• 0x1094840c - GetFileInformationByHandle
• 0x10948410 - VirtualQueryEx
• 0x10948414 - GetModuleHandleExA
• 0x10948418 - GetComputerNameA
• 0x1094841c - GetEnvironmentVariableA
• 0x10948420 - CreateFileA
• 0x10948424 - HeapAlloc
• 0x10948428 - GetProcessHeap
• 0x1094842c - HeapFree
• 0x10948430 - QueryPerformanceCounter
• 0x10948434 - GetThreadTimes
• 0x10948438 - GetCurrentThread
• 0x1094843c - GetThreadContext
• 0x10948440 - VirtualFree
• 0x10948444 - InitializeCriticalSection
• 0x10948448 - SetThreadPriority
• 0x1094844c - FlushInstructionCache
• 0x10948450 - VirtualAlloc
• 0x10948454 - VirtualProtectEx
• 0x10948458 - OpenThread
• 0x1094845c - GetThreadPriority
• 0x10948460 - GetCurrentThreadId
• 0x10948464 - SuspendThread
• 0x10948468 - ResumeThread
• 0x1094846c - DuplicateHandle
库 WTSAPI32.dll:
• 0x10948474 - WTSSendMessageW
库 KERNEL32.dll:
• 0x1094847c - VirtualQuery
• 0x10948480 - GetSystemTimeAsFileTime
• 0x10948484 - GetModuleHandleA
• 0x10948488 - CreateEventA
• 0x1094848c - GetModuleFileNameW
• 0x10948490 - LoadLibraryA
• 0x10948494 - FreeLibrary
• 0x10948498 - TerminateProcess
• 0x1094849c - GetCurrentProcess
• 0x109484a0 - GetSystemInfo
• 0x109484a4 - CreateToolhelp32Snapshot
• 0x109484a8 - Thread32First
• 0x109484ac - GetCurrentProcessId
• 0x109484b0 - GetCurrentThreadId
• 0x109484b4 - OpenThread
• 0x109484b8 - Thread32Next
• 0x109484bc - CloseHandle
• 0x109484c0 - SuspendThread
• 0x109484c4 - ResumeThread
• 0x109484c8 - WriteProcessMemory
• 0x109484cc - VirtualAlloc
• 0x109484d0 - VirtualProtect
• 0x109484d4 - VirtualFree
• 0x109484d8 - GetProcessAffinityMask
• 0x109484dc - SetProcessAffinityMask
• 0x109484e0 - GetCurrentThread
• 0x109484e4 - SetThreadAffinityMask
• 0x109484e8 - Sleep
• 0x109484ec - GetTickCount
• 0x109484f0 - GlobalFree
• 0x109484f4 - GetProcAddress
• 0x109484f8 - LocalAlloc
• 0x109484fc - LocalFree
• 0x10948500 - ExitProcess
• 0x10948504 - EnterCriticalSection
• 0x10948508 - LeaveCriticalSection
• 0x1094850c - InitializeCriticalSection
• 0x10948510 - DeleteCriticalSection
• 0x10948514 - GetModuleHandleW
• 0x10948518 - LoadResource
• 0x1094851c - MultiByteToWideChar
• 0x10948520 - FindResourceExW
• 0x10948524 - FindResourceExA
• 0x10948528 - WideCharToMultiByte
• 0x1094852c - GetThreadLocale
• 0x10948530 - GetUserDefaultLCID
• 0x10948534 - GetSystemDefaultLCID
• 0x10948538 - EnumResourceNamesA
• 0x1094853c - EnumResourceNamesW
• 0x10948540 - EnumResourceLanguagesA
• 0x10948544 - EnumResourceLanguagesW
• 0x10948548 - EnumResourceTypesA
• 0x1094854c - EnumResourceTypesW
• 0x10948550 - CreateFileW
• 0x10948554 - LoadLibraryW
• 0x10948558 - GetLastError
• 0x1094855c - FlushFileBuffers
• 0x10948560 - CreateFileA
• 0x10948564 - WriteConsoleW
• 0x10948568 - GetConsoleOutputCP
• 0x1094856c - WriteConsoleA
• 0x10948570 - GetCommandLineA
• 0x10948574 - RaiseException
• 0x10948578 - RtlUnwind
• 0x1094857c - HeapFree
• 0x10948580 - GetCPInfo
• 0x10948584 - InterlockedIncrement
• 0x10948588 - InterlockedDecrement
• 0x1094858c - GetACP
• 0x10948590 - GetOEMCP
• 0x10948594 - IsValidCodePage
• 0x10948598 - TlsGetValue
• 0x1094859c - TlsAlloc
• 0x109485a0 - TlsSetValue
• 0x109485a4 - TlsFree
• 0x109485a8 - SetLastError
• 0x109485ac - UnhandledExceptionFilter
• 0x109485b0 - SetUnhandledExceptionFilter
• 0x109485b4 - IsDebuggerPresent
• 0x109485b8 - HeapAlloc
• 0x109485bc - LCMapStringA
• 0x109485c0 - LCMapStringW
• 0x109485c4 - SetHandleCount
• 0x109485c8 - GetStdHandle
• 0x109485cc - GetFileType
• 0x109485d0 - GetStartupInfoA
• 0x109485d4 - GetModuleFileNameA
• 0x109485d8 - FreeEnvironmentStringsA
• 0x109485dc - GetEnvironmentStrings
• 0x109485e0 - FreeEnvironmentStringsW
• 0x109485e4 - GetEnvironmentStringsW
• 0x109485e8 - HeapCreate
• 0x109485ec - HeapDestroy
• 0x109485f0 - QueryPerformanceCounter
• 0x109485f4 - HeapReAlloc
• 0x109485f8 - GetStringTypeA
• 0x109485fc - GetStringTypeW
• 0x10948600 - GetLocaleInfoA
• 0x10948604 - HeapSize
• 0x10948608 - WriteFile
• 0x1094860c - SetFilePointer
• 0x10948610 - GetConsoleCP
• 0x10948614 - GetConsoleMode
• 0x10948618 - InitializeCriticalSectionAndSpinCount
• 0x1094861c - SetStdHandle
库 USER32.dll:
• 0x10948624 - GetUserObjectInformationW
• 0x10948628 - CharUpperBuffW
• 0x1094862c - MessageBoxW
• 0x10948630 - GetProcessWindowStation
库 KERNEL32.dll:
• 0x10948638 - LocalAlloc
• 0x1094863c - LocalFree
• 0x10948640 - GetModuleFileNameW
• 0x10948644 - GetProcessAffinityMask
• 0x10948648 - SetProcessAffinityMask
• 0x1094864c - SetThreadAffinityMask
• 0x10948650 - Sleep
• 0x10948654 - ExitProcess
• 0x10948658 - FreeLibrary
• 0x1094865c - LoadLibraryA
• 0x10948660 - GetModuleHandleA
• 0x10948664 - GetProcAddress
库 USER32.dll:
• 0x1094866c - GetProcessWindowStation
• 0x10948670 - GetUserObjectInformationW
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x1001cc90 |
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 700, 上一级进程 PID: 272
访问的文件
- C:\Users\test\AppData\Local\Temp\gcway.dll
- C:\Users\test\AppData\Local\Temp\gcway.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\gcway.dll.124.Manifest
- C:\Windows\SysWOW64\rundll32.exe.Local\
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Users\test\AppData\Local\Temp\OPENGL32.dll
- C:\Windows\System32\opengl32.dll
- C:\Users\test\AppData\Local\Temp\GLU32.dll
- C:\Windows\System32\glu32.dll
- C:\Users\test\AppData\Local\Temp\DDRAW.dll
- C:\Windows\System32\ddraw.dll
- C:\Users\test\AppData\Local\Temp\DCIMAN32.dll
- C:\Windows\System32\dciman32.dll
- C:\Users\test\AppData\Local\Temp\dwmapi.dll
- C:\Windows\System32\dwmapi.dll
- C:\Users\test\AppData\Local\Temp\iphlpapi.dll
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Users\test\AppData\Local\Temp\WINNSI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Users\test\AppData\Local\Temp\WTSAPI32.dll
- C:\Windows\System32\wtsapi32.dll
- C:\Users\test\AppData\Local\Temp\antihack64.sys
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Users\test\AppData\Local\Temp\gcway.dll
- C:\Users\test\AppData\Local\Temp\gcway.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\gcway.dll.124.Manifest
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Windows\System32\opengl32.dll
- C:\Windows\System32\glu32.dll
- C:\Windows\System32\ddraw.dll
- C:\Windows\System32\dciman32.dll
- C:\Windows\System32\dwmapi.dll
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Windows\System32\wtsapi32.dll
- C:\Users\test\AppData\Local\Temp\antihack64.sys
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.CreateEventExW
- kernel32.dll.CreateSemaphoreExW
- kernel32.dll.SetThreadStackGuarantee
- kernel32.dll.CreateThreadpoolTimer
- kernel32.dll.SetThreadpoolTimer
- kernel32.dll.WaitForThreadpoolTimerCallbacks
- kernel32.dll.CloseThreadpoolTimer
- kernel32.dll.CreateThreadpoolWait
- kernel32.dll.SetThreadpoolWait
- kernel32.dll.CloseThreadpoolWait
- kernel32.dll.FlushProcessWriteBuffers
- kernel32.dll.FreeLibraryWhenCallbackReturns
- kernel32.dll.GetCurrentProcessorNumber
- kernel32.dll.GetLogicalProcessorInformation
- kernel32.dll.CreateSymbolicLinkW
- kernel32.dll.EnumSystemLocalesEx
- kernel32.dll.CompareStringEx
- kernel32.dll.GetDateFormatEx
- kernel32.dll.GetLocaleInfoEx
- kernel32.dll.GetTimeFormatEx
- kernel32.dll.GetUserDefaultLocaleName
- kernel32.dll.IsValidLocaleName
- kernel32.dll.LCMapStringEx
- kernel32.dll.GetTickCount64
- ws2_32.dll.inet_addr
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Thread32First
- kernel32.dll.Thread32Next
- ntdll.dll.RtlGetVersion
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- gdi32.dll.GetFontAssocStatus