Windows Analysis Report
ocs.exe

Overview

General Information

Sample name: ocs.exe
Analysis ID: 1559382
MD5: 725da9f8ec7b0b8316dae970f35590ef
SHA1: 81bc4602c202fc735785e99f338e8e73861b5113
SHA256: c047c39f77e0313414d81b081d2c80efd1295bb2b1a57faa0f911d43e22bc8be
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection

barindex
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.0% probability
Source: ocs.exe Joe Sandbox ML: detected
Source: ocs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00405E80 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#533,#350,#540,#860,#540,#540,#540,#540,#540,#540,#5194,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#823,#823,#823,#2915,#5448,#5448,#3790,#1997,#3337,#3337,#3337,#3337,time,time,#2818,#860,#940,#4129,#858,#800,#6778,#6663,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,_mbscmp,_mbscmp,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#922,#5194,#800,#1997,_mbscmp,#540,#540,GetCurrentDirectoryA,#860,#941,#922,#858,#800,#5194,#1997,#858,#800,#800,_mbscmp,#922,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,GetLogicalDriveStringsA,#860,#860,#858,#6648,#926,#858,#800,#922,#5194,#800,lstrlenA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$ba 4_2_00405E80
Source: ocs.exe, OcsAgentSetup.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: OcsAgentSetup.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ocs.exe, OcsAgentSetup.exe.0.dr String found in binary or memory: http://www.ocsinventory-ng.org
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,strncmp,GetFocus,SendMessageA,GetPropA, 0_2_00405D3C
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00405B1F GetPropA,DefFrameProcA,SetLastError,NtdllDefWindowProc_A, 0_2_00405B1F
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A, 0_2_00407E1A
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A, 0_2_00404714
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00407190 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,#540,#926,#922,#924,#924,#922,#858,#800,#800,#800,#800,#800,MessageBoxA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#2915,MultiByteToWideChar,MultiByteToWideChar,_mbscmp,#2915,GetComputerNameA,#5572,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#858,#2915,MultiByteToWideChar,_mbscmp,_mbscmp,_mbscmp,_mbscmp,GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,#800,#800,_mbscmp,_mbscmp,_mbscmp,#6663,#6648,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#2514,#656,#641,#2915,MultiByteToWideChar,#656,#641,CreateProcessWithLogonW,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,GetLastError,#2818,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#924,#922,#924,#858,#800,#800,#800,#800,#800,#2915,MultiByteToWideChar,CreateProcessWithLogonW,#800,#800,#800,WaitForSingleObject,WaitForSingleObject,#2915,TerminateProcess,#800,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV2 4_2_00407190
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00406960 0_2_00406960
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00423173 0_2_00423173
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040E930 0_2_0040E930
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040D9C0 0_2_0040D9C0
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040E240 0_2_0040E240
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00424A51 0_2_00424A51
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00406C10 0_2_00406C10
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040EC30 0_2_0040EC30
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040E630 0_2_0040E630
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040DE80 0_2_0040DE80
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_0040EE90 0_2_0040EE90
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00402410 4_2_00402410
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_004014A0 4_2_004014A0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00401960 4_2_00401960
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00402970 4_2_00402970
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00402110 4_2_00402110
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00401D20 4_2_00401D20
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00402710 4_2_00402710
Source: ocs.exe Binary or memory string: OriginalFilename vs ocs.exe
Source: ocs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ocs.exe Static PE information: Section: UPX1 ZLIB complexity 0.9993838396633768
Source: classification engine Classification label: mal48.winEXE@15/8@0/0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00402C10 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#860,#860,#540,GetLastError,GetLastError,#2818,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#939,#800,#800,MessageBoxA,#800,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#924,#922,#939,#800,#800,#800,MessageBoxA,#800,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#941,MessageBoxA,#800,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic 4_2_00402C10
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00408990 WaitForSingleObject,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,CreateToolhelp32Snapshot,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,Process32First,CloseHandle,Process32Next,CloseHandle, 4_2_00408990
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_004020C9 FindResourceA,LoadResource,SizeofResource, 0_2_004020C9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Users\user\Desktop\ocs.exe File created: C:\Users\user\AppData\Local\Temp\A3BE.tmp Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
Source: C:\Users\user\Desktop\ocs.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ocs.exe "C:\Users\user\Desktop\ocs.exe"
Source: C:\Users\user\Desktop\ocs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet
Source: C:\Users\user\Desktop\ocs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: ocs.exe Static file information: File size 1454592 > 1048576
Source: ocs.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x162a00
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary, 0_2_00405EB2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\ocs.exe File created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Jump to dropped file
Source: C:\Users\user\Desktop\ocs.exe File created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\ocs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\ocs.exe TID: 3372 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00405E80 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#533,#350,#540,#860,#540,#540,#540,#540,#540,#540,#5194,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#823,#823,#823,#2915,#5448,#5448,#3790,#1997,#3337,#3337,#3337,#3337,time,time,#2818,#860,#940,#4129,#858,#800,#6778,#6663,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,_mbscmp,_mbscmp,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#922,#5194,#800,#1997,_mbscmp,#540,#540,GetCurrentDirectoryA,#860,#941,#922,#858,#800,#5194,#1997,#858,#800,#800,_mbscmp,#922,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,GetLogicalDriveStringsA,#860,#860,#858,#6648,#926,#858,#800,#922,#5194,#800,lstrlenA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$ba 4_2_00405E80
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary, 0_2_00405EB2
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 0_2_00403B70
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00403CC0 SetUnhandledExceptionFilter, 0_2_00403CC0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe Code function: 4_2_00407190 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,#540,#926,#922,#924,#924,#922,#858,#800,#800,#800,#800,#800,MessageBoxA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#2915,MultiByteToWideChar,MultiByteToWideChar,_mbscmp,#2915,GetComputerNameA,#5572,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#858,#2915,MultiByteToWideChar,_mbscmp,_mbscmp,_mbscmp,_mbscmp,GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,#800,#800,_mbscmp,_mbscmp,_mbscmp,#6663,#6648,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#2514,#656,#641,#2915,MultiByteToWideChar,#656,#641,CreateProcessWithLogonW,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,GetLastError,#2818,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#924,#922,#924,#858,#800,#800,#800,#800,#800,#2915,MultiByteToWideChar,CreateProcessWithLogonW,#800,#800,#800,WaitForSingleObject,WaitForSingleObject,#2915,TerminateProcess,#800,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV2 4_2_00407190
Source: C:\Users\user\Desktop\ocs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet Jump to behavior
Source: C:\Users\user\Desktop\ocs.exe Code function: 0_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA, 0_2_00403CD7
No contacted IP infos