home

ocs_v71a.exe

OCS

The application ocs_v71a.exe has been detected as a potentially unwanted program by 7 anti-malware scanners. While running, it connects to the Internet address www2.thinklabs-cluster.de on port 80 using the HTTP protocol.
Publisher:
OCS

Product:
OCS

Version:
1.0.0.0

MD5:
317ec5f92cfbf04a53e8125b66b3b4af

SHA-1:
16068b8977b4dc562ae782d91bc009472667e331

SHA-256:
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
4/18/2024 11:22:51 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.DownloadSponsor
4.0.3.131220

Bkav FE
W32.Clod5ea.Trojan
1.3.0.4613

ESET NOD32
Win32/DownloadSponsor (variant)
7.9232

K7 AntiVirus
Trojan
13.174.10679

McAfee
Artemis!317EC5F92CFB
5600.7275

Trend Micro House Call
TROJ_GEN.F47V1127
7.2.354

VIPRE Antivirus
DownloadSponsor
24922

File size:
288 KB (294,912 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Project OCS

Original file name:
OCS.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ocs_v71a.exe

File PE Metadata
Compilation timestamp:
11/27/2013 4:26:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:CbCGf7FUEQwAH/qo25/Bj70kweunGwkDeN3CNBjDnm9L9nfWzkul/gF46bQN2Gwp:yfCEv2YUMNJlaJuNlK17Y4c83f

Entry address:
0x43E2E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.9478

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
264 KB (270,336 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www2.thinklabs-cluster.de  (148.251.198.119:80)

TCP (HTTP SSL):
Connects to prxy2.thinklabs-cluster.de  (46.4.173.132:443)

TCP (HTTP SSL):
Connects to prxy1.thinklabs-cluster.de  (88.198.27.202:443)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (88.198.27.201:80)

TCP (HTTP SSL):
Connects to static.117.198.251.148.clients.your-server.de  (148.251.198.117:443)

TCP (HTTP):
Connects to openx-farm.l3muc-b.cxo.name  (212.162.62.38:80)

TCP (HTTP):
Connects to a88-221-92-55.deploy.akamaitechnologies.com  (88.221.92.55:80)

TCP (HTTP):
Connects to dls.thinklabs-cluster.de  (144.76.75.91:80)

TCP (HTTP):
Connects to a2-16-216-136.deploy.akamaitechnologies.com  (2.16.216.136:80)

TCP (HTTP):
Connects to a1638.g.akamai.net  (212.162.62.43:80)

Remove ocs_v71a.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.