IOC Report
ocs.exe

loading gif

Files

File Path
Type
Category
Malicious
ocs.exe
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
initial sample
malicious
C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat
DOS batch file, ASCII text, with CRLF line terminators
dropped
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\ocs.exe
"C:\Users\user\Desktop\ocs.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet

URLs

Name
IP
Malicious
http://nsis.sf.net/NSIS_Error
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://www.ocsinventory-ng.org
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page readonly
400000
unkown
page readonly
40B000
unkown
page readonly
40B000
unkown
page readonly
19D000
stack
page read and write
2C9E000
stack
page read and write
52E000
stack
page read and write
1F0000
heap
page read and write
2200000
heap
page read and write
680000
heap
page read and write
40B000
unkown
page readonly
90F000
stack
page read and write
412000
unkown
page readonly
550000
heap
page read and write
41C000
unkown
page execute and write copy
2300000
heap
page read and write
19D000
stack
page read and write
2A5F000
stack
page read and write
6EF000
stack
page read and write
770000
heap
page read and write
412000
unkown
page readonly
411000
unkown
page read and write
58A000
heap
page read and write
4B0000
heap
page read and write
5FA000
heap
page read and write
760000
heap
page read and write
1F0000
heap
page read and write
548000
heap
page read and write
19D000
stack
page read and write
5E8000
heap
page read and write
460000
heap
page read and write
90F000
stack
page read and write
412000
unkown
page readonly
940000
heap
page read and write
411000
unkown
page read and write
40B000
unkown
page readonly
2333000
heap
page read and write
401000
unkown
page execute read
400000
unkown
page readonly
401000
unkown
page execute read
2270000
heap
page read and write
2C5F000
stack
page read and write
400000
unkown
page readonly
40B000
unkown
page readonly
412000
unkown
page readonly
40B000
unkown
page readonly
57F000
unkown
page write copy
7BE000
stack
page read and write
92E000
stack
page read and write
21B6000
heap
page read and write
400000
unkown
page readonly
401000
unkown
page execute read
9C000
stack
page read and write
57A000
unkown
page execute and write copy
8CF000
stack
page read and write
420000
heap
page read and write
448000
heap
page read and write
57E000
stack
page read and write
5E0000
heap
page read and write
568000
heap
page read and write
580000
heap
page read and write
58E000
heap
page read and write
90E000
stack
page read and write
64A000
heap
page read and write
560000
heap
page read and write
400000
unkown
page readonly
411000
unkown
page write copy
412000
unkown
page readonly
40B000
unkown
page readonly
420000
heap
page read and write
40B000
unkown
page readonly
400000
unkown
page readonly
7CF000
stack
page read and write
E0E000
stack
page read and write
2330000
heap
page read and write
5F0000
heap
page read and write
401000
unkown
page execute read
57F000
unkown
page read and write
5B1000
heap
page read and write
24EE000
stack
page read and write
401000
unkown
page execute and read and write
401000
unkown
page execute read
400000
unkown
page readonly
411000
unkown
page write copy
400000
unkown
page readonly
245E000
stack
page read and write
64E000
heap
page read and write
83F000
stack
page read and write
45E000
stack
page read and write
412000
unkown
page readonly
24A0000
heap
page read and write
19D000
stack
page read and write
412000
unkown
page readonly
1F0000
heap
page read and write
4A0000
heap
page read and write
A3F000
stack
page read and write
56E000
stack
page read and write
9C000
stack
page read and write
401000
unkown
page execute read
82F000
stack
page read and write
412000
unkown
page readonly
2EDC000
stack
page read and write
21C0000
heap
page read and write
241E000
stack
page read and write
295E000
stack
page read and write
2B5F000
stack
page read and write
9C000
stack
page read and write
540000
heap
page read and write
21B0000
heap
page read and write
80F000
stack
page read and write
411000
unkown
page read and write
570000
heap
page read and write
401000
unkown
page execute read
21C6000
heap
page read and write
400000
unkown
page readonly
2DDC000
stack
page read and write
93F000
stack
page read and write
2D9F000
stack
page read and write
765000
heap
page read and write
40B000
unkown
page readonly
2296000
heap
page read and write
970000
heap
page read and write
46E000
stack
page read and write
401000
unkown
page execute read
5CE000
stack
page read and write
40B000
unkown
page readonly
9C000
stack
page read and write
411000
unkown
page write copy
411000
unkown
page read and write
2206000
heap
page read and write
9B000
stack
page read and write
45E000
stack
page read and write
19B000
stack
page read and write
4D0000
heap
page read and write
1F0000
heap
page read and write
411000
unkown
page write copy
4A0000
heap
page read and write
8BF000
stack
page read and write
2290000
heap
page read and write
640000
heap
page read and write
412000
unkown
page readonly
411000
unkown
page read and write
409000
unkown
page execute and read and write
579000
unkown
page execute and read and write
400000
unkown
page readonly
4EE000
stack
page read and write
718000
heap
page read and write
2510000
heap
page read and write
400000
unkown
page readonly
411000
unkown
page write copy
2304000
heap
page read and write
401000
unkown
page execute read
412000
unkown
page readonly
5BE000
stack
page read and write
1F0000
heap
page read and write
249E000
stack
page read and write
49E000
stack
page read and write
710000
heap
page read and write
401000
unkown
page execute read
440000
heap
page read and write
556000
heap
page read and write
9C000
stack
page read and write
4AE000
stack
page read and write
19D000
stack
page read and write
There are 154 hidden memdumps, click here to show them.