Malware Analysis Report

2025-03-15 06:54

Sample ID 231214-b6k74aagap
Target cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53
SHA256 cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53
Tags
новый тег orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53

Threat Level: Known bad

The file cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53 was found to be: Known bad.

Malicious Activity Summary

новый тег orcus rat spyware stealer

Orcus

Orcus family

Orcurs Rat Executable

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-14 01:45

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-14 01:45

Reported

2023-12-14 01:47

Platform

win7-20231130-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3032 set thread context of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2980 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2980 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2980 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3032 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2740 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 2740 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe

"C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe"

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

"C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A8F394F5-B2A1-4ED3-BE73-F7DDD97D0A20} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 11426.client.sudorat.top udp
RU 31.44.184.52:11426 11426.client.sudorat.top tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:1111 tcp

Files

memory/2980-1-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2980-0-0x0000000000EE0000-0x00000000011DE000-memory.dmp

memory/2980-2-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/2980-3-0x0000000000500000-0x000000000050E000-memory.dmp

memory/2980-4-0x00000000046E0000-0x000000000473C000-memory.dmp

memory/2980-5-0x0000000000630000-0x0000000000642000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 6935a0f2c3cfbab13cc317770b301ce1
SHA1 d59c7c507b4e4c931fcaddfd483261c232d24b4e
SHA256 a95c09c2c1b096ae0907cac856dc628282d24e94efb6faa9771d8ec1487a8061
SHA512 d8f56dfd395cd5914f2df29766b35dc9ccc45183edc0e83ddb46b606a0d4f2e45632aa5e1f31cd32b4939d44951414971b27c6d88227d523549a745f64a4ffac

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 3c76811cf5776a24f033e44bc976d379
SHA1 c1db7c00c379b019a266c35de9513a8237e583dc
SHA256 08d38c316330034d73cc0a24db98936756fcef7d0b17d997541bac6a0e614a82
SHA512 2b7ed7c161b9f2b2e3ad72cdbced2ba7a9787754d17a9f35a563e977ec5a4f0d8330e3952243e75601a4a4e57d6cc58e2d56fd941f47f0be0ac4341c9c732c12

memory/3032-16-0x00000000001C0000-0x00000000004BE000-memory.dmp

memory/2980-17-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3032-18-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/3032-19-0x0000000004D50000-0x0000000004D90000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 c8abdc4892f8a43962167a891915a3b6
SHA1 b7843b6755a276205c106e2c7f3dd59235886b2f
SHA256 0520c8e11d53398623383167f8126812119a638ea19e4cab021c3d564a98e54b
SHA512 283b085231fafd4b2f03589c6b04fdd82a10fa7b00319e89a8f38f4c5219ab3b094c480501c55920da78fb85759c42ff1898b36a75fbbf68da647d302ca22330

memory/3032-20-0x0000000004360000-0x00000000043AE000-memory.dmp

\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 6ce53889e50499943fd03295fb03c815
SHA1 955ac11e66bbbfb67c6fc2d3cf7a942ebf2fc424
SHA256 f3dd5fcbc4091200d9004c7f410bb61f2de28bbd733a1074cc1dedf121a90a6e
SHA512 da1dad435c85444601d6e80189df0369b467aa01ae98cec4b6b078987fd4f26c3ab29bbd87caf70c9f032d51585405e3c23078f3625c9b0683f6653be122e2d3

memory/2876-23-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2876-29-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2876-32-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3032-31-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2876-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2876-34-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2876-26-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 6b502a43c276422ced36edd8341d69c0
SHA1 91378b8ee0a96b0cf47c4da2d816ab624baad210
SHA256 cad7e4ceeb60865d50f417b663819f9ae38afa3f8bd6bea5f52283fc0e464ac9
SHA512 e782384bb64e6a8fd82cc0b65c8e7c9642eedaaba1522f10bf78e233a96fc7c853b94b21b3d31f14e018ca59db6d87210d646a906a7df2ac192098e70d460358

memory/2836-36-0x0000000001080000-0x000000000137E000-memory.dmp

memory/2876-25-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2876-21-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2876-37-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2876-38-0x0000000000E00000-0x0000000000E18000-memory.dmp

memory/2836-39-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2876-41-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/2836-42-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/2876-40-0x0000000004C20000-0x0000000004C60000-memory.dmp

memory/2836-55-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2876-56-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2876-57-0x0000000004C20000-0x0000000004C60000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 654f61c917469d1c3e7b1680204abfe3
SHA1 0fbed2074695670bb7c8d6932cfd35a1f9220afc
SHA256 cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53
SHA512 e26c32eead7727694b0f0cf06484f758c7d4cd2b56d57b6fab568d59fdfb63d30fb09b44a162ba73c0fea152171ff8e2b48a4b94d413712d3e38dc2f440b352a

memory/2308-59-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2308-60-0x00000000010A0000-0x000000000139E000-memory.dmp

memory/2308-61-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/2308-62-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2872-65-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2872-64-0x0000000000320000-0x000000000061E000-memory.dmp

memory/2872-66-0x0000000073D10000-0x00000000743FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-14 01:45

Reported

2023-12-14 01:47

Platform

win10v2004-20231130-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5072 set thread context of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 3096 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 3096 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5072 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe

"C:\Users\Admin\AppData\Local\Temp\cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53.exe"

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

"C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe"

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11426.client.sudorat.top udp
RU 31.44.184.52:11426 11426.client.sudorat.top tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 52.184.44.31.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3096-0-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/3096-1-0x0000000000030000-0x000000000032E000-memory.dmp

memory/3096-2-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/3096-3-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

memory/3096-4-0x0000000004CD0000-0x0000000004D2C000-memory.dmp

memory/3096-6-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/3096-5-0x00000000055D0000-0x0000000005B74000-memory.dmp

memory/3096-7-0x00000000050B0000-0x00000000050C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 37788dd08cb321bd8b0804f9cb117a78
SHA1 bf20d1670c3a81722908f046f6d5efcf49999636
SHA256 f25a3f9c6179974bd3f7cc74c2d234940313aca4e59cb41d0d942bd6fa4e0d4f
SHA512 c95d7f55b620f61a0ce4b787db9a01197e2f1a54beb2d6656fa58db35a0216a70fc132a8aa6718a7dc62557ab3a8a8a7e3467a8416ba8f2c9566a278588c3c01

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 6a0b331b76737cd0b07b3ca7e64c4f9d
SHA1 943076fc3e0229860a88e708ce00b31aba4ab32c
SHA256 b6d64668dc854cc4ffe1838b39173186db1f6231ebb57188d1ba160670d24669
SHA512 f1a7a5b598f723f6a266f70ec337dcd3f19976e4f4dc730142d650beb414f0eeaf4f6e23fe975eadc44fb1d3dff0286d1b91f58df877dc91c5f98c56953e9eb9

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 7f522de6e11725add1f1c60947fd69df
SHA1 4f408a9b9118732904b29c8939803179035981c2
SHA256 55714d31e8b043120e4669de83759302180c1b65c7f867f8dec78be750cf79d8
SHA512 6ab57fd6225bf37ac1ac7fc180ab59de24d941e613f4d6de71546560943b4c9dac39aae08562c98a94dcb8144ee4d6380675c46970b19a138184c2c1efd7ce7f

memory/3096-24-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/5072-23-0x00000000753A0000-0x0000000075B50000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/5072-25-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5072-26-0x0000000005970000-0x0000000005982000-memory.dmp

memory/5072-27-0x0000000005990000-0x00000000059DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 e218cac9ca16153dfd4647b5b829b24e
SHA1 7223652c0bed8a65e14ed1badb5efcdec2e0cc3a
SHA256 181be998715aa2fde747a64d35460ecc386ef4bbe4ae26d68fcfeee97cc3eedb
SHA512 3aa1d8411861d9b28729eb127083f379870e23c68a49fa8685baf0bf51f5a1baa142daeb880193e73eb35fcd052b5f44156520c6460d537c708ae3560d7cfc2a

memory/5072-29-0x00000000062F0000-0x000000000638C000-memory.dmp

memory/2744-31-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/5072-33-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/1080-34-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/1080-35-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/1080-36-0x0000000005CA0000-0x0000000005CB8000-memory.dmp

memory/1080-37-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/1080-38-0x0000000006960000-0x000000000696A000-memory.dmp

memory/1080-41-0x0000000007200000-0x0000000007266000-memory.dmp

memory/1080-42-0x0000000007890000-0x0000000007EA8000-memory.dmp

memory/1080-43-0x0000000007310000-0x0000000007322000-memory.dmp

memory/1080-44-0x0000000007370000-0x00000000073AC000-memory.dmp

memory/1080-45-0x00000000073B0000-0x00000000073FC000-memory.dmp

memory/1080-46-0x0000000007540000-0x000000000764A000-memory.dmp

memory/1080-47-0x0000000007EB0000-0x0000000008072000-memory.dmp

memory/2744-49-0x00000000753A0000-0x0000000075B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\universalpython.exe.log

MD5 663b8d5469caa4489d463aa9bc18124f
SHA1 e57123a7d969115853ea631a3b33826335025d28
SHA256 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA512 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

memory/1080-50-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/1080-51-0x0000000005490000-0x00000000054A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 654f61c917469d1c3e7b1680204abfe3
SHA1 0fbed2074695670bb7c8d6932cfd35a1f9220afc
SHA256 cfa779005701baf8251281de201d9ee5790cd788f9f503f7a22bf6cf1bdb0b53
SHA512 e26c32eead7727694b0f0cf06484f758c7d4cd2b56d57b6fab568d59fdfb63d30fb09b44a162ba73c0fea152171ff8e2b48a4b94d413712d3e38dc2f440b352a

memory/3284-53-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/3284-54-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/3284-55-0x00000000753A0000-0x0000000075B50000-memory.dmp

C:\Users\Admin\AppData\Roaming\pollcentral\universalpython.exe

MD5 49af100ef359caae3031d59236a2d692
SHA1 90ef4362e36f96ae7cc3033c4b8c3bd73f84faf4
SHA256 9a23c1f7cff978addc8580a2646cf61302db1b02d4d758d829ab0e3d6e4dc88d
SHA512 289092a74fe7522fa3107125ca6dafdd85237d2ff00a9cae76c660158abdfdd759210d2756b15a1fb0f4d39ea6bec3d1cd3de4add566db0572956f18828314f2

memory/816-58-0x0000000005700000-0x0000000005710000-memory.dmp

memory/816-57-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/816-59-0x00000000753A0000-0x0000000075B50000-memory.dmp