Malware Analysis Report

2025-03-15 06:51

Sample ID 240105-b2dmfsgdg6
Target 542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0
SHA256 542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0
Tags
upx orcus rat spyware stealer blankgrabber
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0

Threat Level: Known bad

The file 542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0 was found to be: Known bad.

Malicious Activity Summary

upx orcus rat spyware stealer blankgrabber

Orcus

A stealer written in Python and packaged with Pyinstaller

Orcus main payload

Blankgrabber family

Orcurs Rat Executable

Loads dropped DLL

UPX packed file

Executes dropped EXE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 01:38

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 01:38

Reported

2024-01-05 01:40

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23802\python310.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2256-24-0x000007FEF6270000-0x000007FEF66DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 01:38

Reported

2024-01-05 01:40

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe
PID 4992 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe
PID 5112 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe C:\Windows\system32\cmd.exe
PID 4080 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1556 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4560 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4432 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4432 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe

Processes

C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe'"

C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe

"C:\Users\Admin\AppData\Local\Temp\542597d09e5dcf869e58cbcec0b6caa530a5b5a1fc0768b5c64702813bcde7a0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 blank-fqqa0.in udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
NL 52.142.223.178:80 tcp
N/A 192.168.188.89:10134 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
GB 96.17.178.176:80 tcp
N/A 192.168.188.89:80 tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 20.3.187.198:443 tcp
GB 96.17.178.176:80 tcp
DE 84.178.197.171:10134 tcp
GB 96.17.178.176:80 tcp
GB 88.221.134.42:80 tcp
GB 96.17.178.176:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49922\python310.dll

MD5 1fd94878c2b2ff2e82009e58cce7104a
SHA1 80cb1f050a7b167d887cf186e6f76a630de02e8a
SHA256 f764e45b6caa502bb14b80bad6ae0fc5e4f4707625607454dc52325132e15fa0
SHA512 b2829d41d174dac2d1cf08b486b53a301831f6ab24964044ac3c59b917917c1841d90f5a6760a63a1a43de86c727065aa2f04e86d70b2965328511afe88d127e

C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5112-26-0x00007FF8600F0000-0x00007FF86055E000-memory.dmp

memory/5112-50-0x00007FF8752A0000-0x00007FF8752AF000-memory.dmp

memory/5112-68-0x00007FF86F050000-0x00007FF86F07E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\libcrypto-1_1.dll

MD5 daa2eed9dceafaef826557ff8a754204
SHA1 27d668af7015843104aa5c20ec6bbd30f673e901
SHA256 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA512 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

memory/5112-73-0x0000020471C70000-0x0000020471FE5000-memory.dmp

memory/5112-74-0x00007FF85F640000-0x00007FF85F9B5000-memory.dmp

memory/5112-79-0x00007FF86EE90000-0x00007FF86EE9D000-memory.dmp

memory/5112-80-0x00007FF8600F0000-0x00007FF86055E000-memory.dmp

memory/5112-82-0x00007FF85F520000-0x00007FF85F638000-memory.dmp

memory/5112-81-0x00007FF86F030000-0x00007FF86F044000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 4fe283a3f154f6be93049792146d573d
SHA1 3ef55c3c8b177b500a2b28dd7e06c21e12db9124
SHA256 ca58c3622823c65d1a9b5a06d1b0b46cd7f6c46c6a7bc2dda5f1b1f52ea186f7
SHA512 405a45dd6bb745470deb1d01264ef97bc87c97c79b83a52e6bcdacd30e9a3f3ec0590b6888d35bc434ffe3a08177f003177ae0ddf026e8eb8129d29a82abd290

memory/5112-84-0x00007FF8722D0000-0x00007FF8722F4000-memory.dmp

memory/5076-91-0x000001EF4B7D0000-0x000001EF4B7F2000-memory.dmp

memory/5076-93-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpq2ybge.lp4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4700-117-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

memory/2852-121-0x000001139D580000-0x000001139D590000-memory.dmp

memory/1740-124-0x0000000005020000-0x000000000507C000-memory.dmp

memory/2852-123-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

memory/1740-125-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/1740-128-0x0000000005350000-0x0000000005360000-memory.dmp

memory/1740-127-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/1740-126-0x0000000005190000-0x0000000005222000-memory.dmp

memory/1740-122-0x0000000001140000-0x000000000114E000-memory.dmp

memory/4700-120-0x0000018929630000-0x0000018929640000-memory.dmp

memory/5076-132-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

memory/5112-139-0x00007FF86F200000-0x00007FF86F22D000-memory.dmp

memory/5112-147-0x00007FF85F640000-0x00007FF85F9B5000-memory.dmp

memory/5112-150-0x00007FF85F520000-0x00007FF85F638000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\blank.aes

MD5 2ed7012b1a0aa0a3f0d8f45d11372901
SHA1 d95ff23e69f40889408d94549877845ab1308e69
SHA256 354b767847d81219b1e04ca9e2f67bea5a671f314182b1ac08db27c39e5404f0
SHA512 b6d58c701db0f244919a43f406b208b2cfa1360c4e06677b2c587175551ac785c07d01927d2ac2fe763d61ff2fcfa6a820e7195782f4cbb19358e70fc66b4223

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/2852-165-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

memory/2176-173-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2176-172-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/1740-171-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2176-174-0x0000000005250000-0x000000000529E000-memory.dmp

memory/2176-176-0x0000000005B00000-0x0000000005B18000-memory.dmp

memory/2176-177-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

memory/2696-178-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/4700-155-0x00007FF85E9A0000-0x00007FF85F461000-memory.dmp

memory/5112-149-0x00007FF86EE90000-0x00007FF86EE9D000-memory.dmp

memory/5112-148-0x00007FF86F030000-0x00007FF86F044000-memory.dmp

memory/5112-146-0x00007FF86EEA0000-0x00007FF86EF58000-memory.dmp

memory/5112-145-0x00007FF86F050000-0x00007FF86F07E000-memory.dmp

memory/5112-144-0x00007FF86F080000-0x00007FF86F08D000-memory.dmp

memory/2696-179-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/2176-180-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

memory/5112-143-0x00007FF86F1A0000-0x00007FF86F1B9000-memory.dmp

memory/5112-142-0x00007FF85F9C0000-0x00007FF85FB31000-memory.dmp

memory/5112-141-0x00007FF86F1C0000-0x00007FF86F1DF000-memory.dmp

memory/5112-140-0x00007FF86F1E0000-0x00007FF86F1F9000-memory.dmp

memory/5112-138-0x00007FF8752A0000-0x00007FF8752AF000-memory.dmp

memory/5112-137-0x00007FF8722D0000-0x00007FF8722F4000-memory.dmp

memory/5112-136-0x00007FF8600F0000-0x00007FF86055E000-memory.dmp

memory/1740-131-0x0000000005160000-0x0000000005172000-memory.dmp

memory/4700-119-0x0000018929630000-0x0000018929640000-memory.dmp

memory/5076-118-0x000001EF330F0000-0x000001EF33100000-memory.dmp

memory/1740-116-0x00000000006A0000-0x000000000078C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\unicodedata.pyd

MD5 7a462a10aa1495cef8bfca406fb3637e
SHA1 6dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256 459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512 d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_queue.pyd

MD5 0e7612fc1a1fad5a829d4e25cfa87c4f
SHA1 3db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA256 9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA512 52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_hashlib.pyd

MD5 4ae75c47dbdebaa16a596f31b27abd9e
SHA1 a11f963139c715921dedd24bc957ab6d14788c34
SHA256 2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512 e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

memory/5112-72-0x00007FF86EEA0000-0x00007FF86EF58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\libssl-1_1.dll

MD5 eac369b3fde5c6e8955bd0b8e31d0830
SHA1 4bf77158c18fe3a290e44abd2ac1834675de66b4
SHA256 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512 c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd

MD5 081c878324505d643a70efcc5a80a371
SHA1 8bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256 fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512 c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

memory/5112-66-0x00007FF86F080000-0x00007FF86F08D000-memory.dmp

memory/5112-65-0x00007FF86F1A0000-0x00007FF86F1B9000-memory.dmp

memory/5112-62-0x00007FF85F9C0000-0x00007FF85FB31000-memory.dmp

memory/5112-60-0x00007FF86F1C0000-0x00007FF86F1DF000-memory.dmp

memory/5112-58-0x00007FF86F1E0000-0x00007FF86F1F9000-memory.dmp

memory/5112-56-0x00007FF86F200000-0x00007FF86F22D000-memory.dmp

memory/5112-32-0x00007FF8722D0000-0x00007FF8722F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49922\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI49922\python310.dll

MD5 5d4672625801ca0853669a8da1d143e5
SHA1 a9004d68a643f9220b74aa3318e631e57a5c758c
SHA256 a96a1044b6ec65ee27c85ffb95c7dca4ae3adf6de7e7e3236b1949dde98829f3
SHA512 697651ecb15850fd845e8ffdd418516d13918199bc7bd813424f9ea5b57be8e1cbc9838815a5db3d5e30e0028e52c33c657e442e76cb5f83d603e6c7e061aa37

memory/2696-185-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2176-186-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2176-187-0x0000000004D30000-0x0000000004D40000-memory.dmp