比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-3 2018-06-29 19:30:48 2018-06-29 19:34:12 204 秒

魔盾分数

2.65

可疑的

文件详细信息

文件名 OSPPC.DLL
文件大小 148736 字节
文件类型 PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 8c362bc4687838891922dbd00d622acd
SHA1 baa7b4fba6519d3f3d3da305e7fcab31f1ec8051
SHA256 383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede
SHA512 3504c0097400fc05591e275e64aeba899a2a9def68e2313b6b73d9185bf8683d991bdafc79c1d9e74ac897d11c907c254d44817e100ac9e17c3ab55d0d5e90f4
CRC32 CCACB0DF
Ssdeep 3072:yXi0jXgbuEIgGQd8/+A63W9HbXctZyaWCZtFvmbTuN7:yljXgChQd8/+ARHlCVvmU
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
101.110.118.25 中国
101.110.118.61 中国
101.110.118.63 中国

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息
没有信息显示.
.text
`.data
.pdata
@.rsrc
@.reloc
EventWrite
Without specific written consent from Microsoft, it is illegal to reverse engineer, debug or change this binary.
NotifyServiceStatusChangeW
EventRegister
2.1.4.0, Mon 03/02/2009 12:32:57.69
EventEnabled
EventUnregister
osppc.dll
SLCallServer
SLClose
SLConsumeRight
SLDepositOfflineConfirmationId
SLFireEvent
SLGenerateOfflineInstallationId
SLGetApplicationInformation
SLGetApplicationPolicy
SLGetAuthenticationResult
SLGetEncryptedPIDEx
SLGetGenuineInformation
SLGetInstalledProductKeyIds
SLGetLicense
SLGetLicenseFileId
SLGetLicenseInformation
SLGetLicensingStatusInformation
SLGetPKeyId
SLGetPKeyInformation
SLGetPolicyInformation
SLGetPolicyInformationDWORD
SLGetProductSkuInformation
SLGetSLIDList
SLGetServiceInformation
SLInstallLicense
SLInstallProofOfPurchase
SLInstallProofOfPurchaseEx
SLIsGenuineLocalEx
SLLoadApplicationPolicies
SLOpen
SLPersistApplicationPolicies
SLPersistRTSPayloadOverride
SLReArm
SLRegisterEvent
SLRegisterPlugin
SLSetAuthenticationData
SLSetCurrentProductKey
SLSetGenuineInformation
SLUninstallLicense
SLUninstallProofOfPurchase
SLUnloadApplicationPolicies
SLUnregisterEvent
SLUnregisterPlugin
SLpAuthenticateGenuineTicketResponse
SLpBeginGenuineTicketTransaction
SLpDepositTokenActivationResponse
SLpGenerateTokenActivationChallenge
SLpGetGenuineBlob
SLpGetGenuineLocal
SLpGetLicenseAcquisitionInfo
SLpGetMSPidInformation
SLpGetMachineUGUID
SLpGetTokenActivationGrantInfo
SLpVLActivateProduct
ADVAPI32.dll
KERNEL32.dll
RPCRT4.dll
ntdll.dll
msvcrt.dll
memset
memcpy
_onexit
_lock
__dllonexit
_unlock
__C_specific_handler
_amsg_exit
_initterm
malloc
_XcptFilter
_vsnwprintf
memmove
memcmp
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
I_RpcMapWin32Status
RpcBindingFree
RpcStringFreeW
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
NdrClientCall2
I_RpcExceptionFilter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
WaitForSingleObjectEx
RaiseException
CloseHandle
GetThreadPriority
GetProcessAffinityMask
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
WaitForMultipleObjects
ReleaseSemaphore
Sleep
SleepEx
GetVersionExW
SetEvent
GetModuleHandleW
CreateSemaphoreW
CreateEventW
EncodePointer
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
GetCurrentProcessId
OpenProcess
LocalFree
CreateThread
GetModuleFileNameW
VirtualQuery
FreeLibraryAndExitThread
GetCurrentThread
SetThreadPriority
ReleaseMutex
WaitForSingleObject
OpenMutexW
CreateMutexW
FreeLibrary
GetLastError
GetCurrentProcess
GetProcAddress
GetVersion
GetSystemInfo
DecodePointer
SetLastError
DisableThreadLibraryCalls
GetProcessHeap
HeapFree
HeapAlloc
LoadLibraryW
LocalAlloc
FreeSid
AllocateAndInitializeSid
CloseServiceHandle
SetThreadToken
OpenServiceW
OpenSCManagerW
RevertToSelf
OpenThreadToken
QueryServiceStatus
StartServiceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
TraceMessage
osppc.pdb
0<>/C
msft:spp/events/private/rewire
S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies
ServiceSessionId
OSPPSvc
msft:rm/event/windows/consumeright
msft:rm/event/usernotification
msft:rm/event/policychanged
msft:rm/event/licensingstatechanged
%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x
D:PAI(A;OICI;FA;;;WD)
Channel
Volume:CSVLK
IsKeyManagementService
LicensingStatus
DependsOn
DigitalEncryptedPID
Global\552FFA80-3393-423d-8671-7BA046BB5906
{2233362A-798F-4319-BE6A-0425F899BF04}
OSPPSvc
Value
advapi32
%s\%s
SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
OSPPCTransportEndpoint-00001
ncalrpc
NT AUTHORITY\NETWORKSERVICE
advapi32.dll
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20180604
MicroWorld-eScan 未发现病毒 20180604
nProtect 未发现病毒 20180604
CMC 未发现病毒 20180604
CAT-QuickHeal 未发现病毒 20180604
McAfee 未发现病毒 20180604
Cylance 未发现病毒 20180604
VIPRE 未发现病毒 20180604
TheHacker 未发现病毒 20180531
K7GW 未发现病毒 20180604
K7AntiVirus 未发现病毒 20180604
Invincea 未发现病毒 20180601
Baidu 未发现病毒 20180604
NANO-Antivirus 未发现病毒 20180604
F-Prot 未发现病毒 20180604
Symantec 未发现病毒 20180604
TotalDefense 未发现病毒 20180604
TrendMicro-HouseCall 未发现病毒 20180604
Avast 未发现病毒 20180604
ClamAV 未发现病毒 20180604
Kaspersky 未发现病毒 20180604
BitDefender 未发现病毒 20180604
Babable 未发现病毒 20180406
ViRobot 未发现病毒 20180604
AegisLab 未发现病毒 20180604
Rising 未发现病毒 20180604
Endgame 未发现病毒 20180507
Sophos 未发现病毒 20180604
Comodo 未发现病毒 20180604
F-Secure 未发现病毒 20180604
DrWeb 未发现病毒 20180604
Zillya 未发现病毒 20180604
TrendMicro 未发现病毒 20180604
McAfee-GW-Edition 未发现病毒 20180604
Emsisoft 未发现病毒 20180604
Ikarus 未发现病毒 20180604
Cyren 未发现病毒 20180604
Jiangmin 未发现病毒 20180604
Webroot 未发现病毒 20180604
Avira 未发现病毒 20180604
Fortinet 未发现病毒 20180604
Antiy-AVL 未发现病毒 20180604
Kingsoft 未发现病毒 20180604
Arcabit 未发现病毒 20180604
SUPERAntiSpyware 未发现病毒 20180604
ZoneAlarm 未发现病毒 20180604
Avast-Mobile 未发现病毒 20180604
Microsoft 未发现病毒 20180604
AhnLab-V3 未发现病毒 20180604
ALYac 未发现病毒 20180604
AVware 未发现病毒 20180604
MAX 未发现病毒 20180604
VBA32 未发现病毒 20180604
Malwarebytes 未发现病毒 20180604
Panda 未发现病毒 20180604
Zoner 未发现病毒 20180604
ESET-NOD32 未发现病毒 20180604
Tencent 未发现病毒 20180604
Yandex 未发现病毒 20180529
SentinelOne 未发现病毒 20180225
eGambit 未发现病毒 20180604
GData 未发现病毒 20180604
AVG 未发现病毒 20180604
Paloalto 未发现病毒 20180604
Qihoo-360 未发现病毒 20180604

进程树

rundll32.exe, PID: 2100, 上一级进程 PID: 2020
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
101.110.118.25 中国
101.110.118.61 中国
101.110.118.63 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.203 49159 101.110.118.25 80
192.168.122.203 49161 101.110.118.61 80
192.168.122.203 49166 101.110.118.63 80
192.168.122.203 49158 23.32.241.26 80
192.168.122.203 49160 23.32.241.26 80
192.168.122.203 49165 23.32.241.26 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.203 58280 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.203 49159 101.110.118.25 80
192.168.122.203 49161 101.110.118.61 80
192.168.122.203 49166 101.110.118.63 80
192.168.122.203 49158 23.32.241.26 80
192.168.122.203 49160 23.32.241.26 80
192.168.122.203 49165 23.32.241.26 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.203 58280 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 02 May 2017 22:24:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
URL专业沙箱检测 -> http://101.110.118.25/crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 
GET /crl.microsoft.com/pki/crl/products/microsoftrootcert.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 02 May 2017 22:24:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: 101.110.118.25
URL专业沙箱检测 -> http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl 
GET /pki/crl/products/CodeSigPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
URL专业沙箱检测 -> http://101.110.118.61/crl.microsoft.com/pki/crl/products/CodeSigPCA.crl 
GET /crl.microsoft.com/pki/crl/products/CodeSigPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: 101.110.118.61
URL专业沙箱检测 -> http://crl.microsoft.com/pki/crl/products/tspca.crl 
GET /pki/crl/products/tspca.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT
If-None-Match: "8ab194b3d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
URL专业沙箱检测 -> http://101.110.118.63/crl.microsoft.com/pki/crl/products/tspca.crl 
GET /crl.microsoft.com/pki/crl/products/tspca.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT
If-None-Match: "8ab194b3d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: 101.110.118.63

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 20.623 seconds )

  • 12.009 Suricata
  • 5.447 NetworkAnalysis
  • 1.239 VirusTotal
  • 1.117 TargetInfo
  • 0.442 peid
  • 0.285 AnalysisInfo
  • 0.041 Debug
  • 0.023 BehaviorAnalysis
  • 0.015 Strings
  • 0.005 Memory

Signatures ( 2.526 seconds )

  • 2.221 md_url_bl
  • 0.175 md_bad_drop
  • 0.018 antiav_detectreg
  • 0.012 md_domain_bl
  • 0.008 persistence_autorun
  • 0.008 antiav_detectfile
  • 0.008 infostealer_ftp
  • 0.006 geodo_banking_trojan
  • 0.006 ransomware_files
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_im
  • 0.005 ransomware_extensions
  • 0.004 antianalysis_detectreg
  • 0.004 disables_browser_warn
  • 0.004 network_http
  • 0.003 rat_nanocore
  • 0.003 tinba_behavior
  • 0.003 cerber_behavior
  • 0.003 antivm_vbox_files
  • 0.003 infostealer_mail
  • 0.002 betabot_behavior
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.001 network_tor
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 ursnif_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 modify_uac_prompt
  • 0.001 network_cnc_http

Reporting ( 0.0 seconds )

Task ID 167460
Mongo ID 5b3619512e06330ce2562ed9
Cuckoo release 1.4-Maldun