Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
ocs.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
|
initial sample
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat
|
DOS batch file, ASCII text, with CRLF line terminators
|
dropped
|
||
\Device\ConDrv
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\ocs.exe
|
"C:\Users\user\Desktop\ocs.exe"
|
||
C:\Windows\SysWOW64\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost"
/user:"Administrator" /password:"mitro,1916" /quiet
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost"
/user:"Administrator" /password:"bk0906!!" /quiet
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost"
/user:"Administrator" /password:"Abello" /quiet
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost"
/user:"Administrator" /password:"tSyDqvEwA6UL" /quiet
|
||
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
|
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost"
/user:"Administrator" /password:"&9brASEt-eYe" /quiet
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://nsis.sf.net/NSIS_Error
|
unknown
|
||
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
http://www.ocsinventory-ng.org
|
unknown
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
400000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
40B000
|
unkown
|
page readonly
|
||
40B000
|
unkown
|
page readonly
|
||
19D000
|
stack
|
page read and write
|
||
2C9E000
|
stack
|
page read and write
|
||
52E000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
2200000
|
heap
|
page read and write
|
||
680000
|
heap
|
page read and write
|
||
40B000
|
unkown
|
page readonly
|
||
90F000
|
stack
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
550000
|
heap
|
page read and write
|
||
41C000
|
unkown
|
page execute and write copy
|
||
2300000
|
heap
|
page read and write
|
||
19D000
|
stack
|
page read and write
|
||
2A5F000
|
stack
|
page read and write
|
||
6EF000
|
stack
|
page read and write
|
||
770000
|
heap
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
411000
|
unkown
|
page read and write
|
||
58A000
|
heap
|
page read and write
|
||
4B0000
|
heap
|
page read and write
|
||
5FA000
|
heap
|
page read and write
|
||
760000
|
heap
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
548000
|
heap
|
page read and write
|
||
19D000
|
stack
|
page read and write
|
||
5E8000
|
heap
|
page read and write
|
||
460000
|
heap
|
page read and write
|
||
90F000
|
stack
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
940000
|
heap
|
page read and write
|
||
411000
|
unkown
|
page read and write
|
||
40B000
|
unkown
|
page readonly
|
||
2333000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
400000
|
unkown
|
page readonly
|
||
401000
|
unkown
|
page execute read
|
||
2270000
|
heap
|
page read and write
|
||
2C5F000
|
stack
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
40B000
|
unkown
|
page readonly
|
||
412000
|
unkown
|
page readonly
|
||
40B000
|
unkown
|
page readonly
|
||
57F000
|
unkown
|
page write copy
|
||
7BE000
|
stack
|
page read and write
|
||
92E000
|
stack
|
page read and write
|
||
21B6000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
401000
|
unkown
|
page execute read
|
||
9C000
|
stack
|
page read and write
|
||
57A000
|
unkown
|
page execute and write copy
|
||
8CF000
|
stack
|
page read and write
|
||
420000
|
heap
|
page read and write
|
||
448000
|
heap
|
page read and write
|
||
57E000
|
stack
|
page read and write
|
||
5E0000
|
heap
|
page read and write
|
||
568000
|
heap
|
page read and write
|
||
580000
|
heap
|
page read and write
|
||
58E000
|
heap
|
page read and write
|
||
90E000
|
stack
|
page read and write
|
||
64A000
|
heap
|
page read and write
|
||
560000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
411000
|
unkown
|
page write copy
|
||
412000
|
unkown
|
page readonly
|
||
40B000
|
unkown
|
page readonly
|
||
420000
|
heap
|
page read and write
|
||
40B000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
7CF000
|
stack
|
page read and write
|
||
E0E000
|
stack
|
page read and write
|
||
2330000
|
heap
|
page read and write
|
||
5F0000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
57F000
|
unkown
|
page read and write
|
||
5B1000
|
heap
|
page read and write
|
||
24EE000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute and read and write
|
||
401000
|
unkown
|
page execute read
|
||
400000
|
unkown
|
page readonly
|
||
411000
|
unkown
|
page write copy
|
||
400000
|
unkown
|
page readonly
|
||
245E000
|
stack
|
page read and write
|
||
64E000
|
heap
|
page read and write
|
||
83F000
|
stack
|
page read and write
|
||
45E000
|
stack
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
24A0000
|
heap
|
page read and write
|
||
19D000
|
stack
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
1F0000
|
heap
|
page read and write
|
||
4A0000
|
heap
|
page read and write
|
||
A3F000
|
stack
|
page read and write
|
||
56E000
|
stack
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
82F000
|
stack
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
2EDC000
|
stack
|
page read and write
|
||
21C0000
|
heap
|
page read and write
|
||
241E000
|
stack
|
page read and write
|
||
295E000
|
stack
|
page read and write
|
||
2B5F000
|
stack
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
540000
|
heap
|
page read and write
|
||
21B0000
|
heap
|
page read and write
|
||
80F000
|
stack
|
page read and write
|
||
411000
|
unkown
|
page read and write
|
||
570000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
21C6000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
2DDC000
|
stack
|
page read and write
|
||
93F000
|
stack
|
page read and write
|
||
2D9F000
|
stack
|
page read and write
|
||
765000
|
heap
|
page read and write
|
||
40B000
|
unkown
|
page readonly
|
||
2296000
|
heap
|
page read and write
|
||
970000
|
heap
|
page read and write
|
||
46E000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
5CE000
|
stack
|
page read and write
|
||
40B000
|
unkown
|
page readonly
|
||
9C000
|
stack
|
page read and write
|
||
411000
|
unkown
|
page write copy
|
||
411000
|
unkown
|
page read and write
|
||
2206000
|
heap
|
page read and write
|
||
9B000
|
stack
|
page read and write
|
||
45E000
|
stack
|
page read and write
|
||
19B000
|
stack
|
page read and write
|
||
4D0000
|
heap
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
411000
|
unkown
|
page write copy
|
||
4A0000
|
heap
|
page read and write
|
||
8BF000
|
stack
|
page read and write
|
||
2290000
|
heap
|
page read and write
|
||
640000
|
heap
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
411000
|
unkown
|
page read and write
|
||
409000
|
unkown
|
page execute and read and write
|
||
579000
|
unkown
|
page execute and read and write
|
||
400000
|
unkown
|
page readonly
|
||
4EE000
|
stack
|
page read and write
|
||
718000
|
heap
|
page read and write
|
||
2510000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
411000
|
unkown
|
page write copy
|
||
2304000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
412000
|
unkown
|
page readonly
|
||
5BE000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
249E000
|
stack
|
page read and write
|
||
49E000
|
stack
|
page read and write
|
||
710000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
440000
|
heap
|
page read and write
|
||
556000
|
heap
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
4AE000
|
stack
|
page read and write
|
||
19D000
|
stack
|
page read and write
|
There are 154 hidden memdumps, click here to show them.