Analysis Overview
SHA256
057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf
Threat Level: Known bad
The file 057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Guloader family
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 19:19
Reported
2024-11-06 19:22
Platform
win7-20241010-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2880 set thread context of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe
"C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe"
C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe
"C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 68
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
Files
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 1b5dba842f7f0d5f0a1c9fdfb670bfa8 |
| SHA1 | 9dd9bf5e0eb756ab8dbdec0869b6b156700fc5bd |
| SHA256 | 3cdd4d8bb60d898851735427e4ea085161c09194da3dec593c1868cf59dbcebd |
| SHA512 | f7bb2b820bfb352e769dc5991c13b769cc57d5e7c039cfccc223b90cc3c4068b70606ed210be80cb3441061c6c417bea788c03fb2cfc5ac3c5db7c6f741a59de |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 35051d8132b702d06ae92d716daa8325 |
| SHA1 | d780139bce873b9cea9f3d067d03dd0e2e43dc28 |
| SHA256 | 8913c70de6fb9f789eb8c7c214d1ec534b2463173d634b57bb730fb931d04839 |
| SHA512 | afa2bc9a7b6aef6d9d10d94bf2530bf17e5681b863ba89e73a19a6181a569d2711b5cabf9bb7efae57a73aab9c7e1d43277a752a7637aa4477455d5de14f3aa6 |
\Users\Admin\AppData\Local\Temp\nst3850.tmp\System.dll
| MD5 | cf85183b87314359488b850f9e97a698 |
| SHA1 | 6b6c790037eec7ebea4d05590359cb4473f19aea |
| SHA256 | 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac |
| SHA512 | fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b |
memory/2880-24644-0x0000000002EE0000-0x000000000474B000-memory.dmp
memory/2880-24645-0x0000000002EE0000-0x000000000474B000-memory.dmp
memory/2880-24646-0x0000000077BD1000-0x0000000077CD2000-memory.dmp
memory/2880-24647-0x0000000077BD0000-0x0000000077D79000-memory.dmp
memory/2880-24648-0x0000000002EE0000-0x000000000474B000-memory.dmp
memory/2552-24650-0x0000000077BD0000-0x0000000077D79000-memory.dmp
memory/2552-24649-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2552-24673-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2552-24674-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2552-24676-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2552-24675-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2552-24677-0x0000000000400000-0x0000000001462000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 19:19
Reported
2024-11-06 19:26
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1396 set thread context of 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe
"C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe"
C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe
"C:\Users\Admin\AppData\Local\Temp\057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3356 -ip 3356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1664
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 9cab0663473a9a6a7f89882576d4d96d |
| SHA1 | 203d54f70fa848c657d253665069161d834a13d2 |
| SHA256 | 0bf6bf3ecffd712beeab81906f2ca334961a75d8a73dacfcd7740d43df0cf319 |
| SHA512 | f9b1b22cf23afbc38a0b8c2173bce1a76604d6b19bdc18580f9f2bb896465cf0c3e3f127d8943e7a359a94eace323ed36bc2ccba97a069e815bbe50eef91ad94 |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 9c2c25f5678f37ccb518d4982267af56 |
| SHA1 | c2056c5e49bd0a99d9775e38c55d4d168d3413ca |
| SHA256 | 3190dc4b00e8eddc98fe87338ec19403cec90de198a99cc1980a5808fd48f691 |
| SHA512 | 4c34c004240092cb70a4a9cb5080f65e321e5d88b86170a9cbed682f29336259b6bc3e1b07e7e4f75daadef1b79d546ea3891249d71d40748b9675ddbb6c3ae7 |
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\System.dll
| MD5 | cf85183b87314359488b850f9e97a698 |
| SHA1 | 6b6c790037eec7ebea4d05590359cb4473f19aea |
| SHA256 | 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac |
| SHA512 | fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b |
memory/1396-24644-0x00000000032E0000-0x0000000004B4B000-memory.dmp
memory/1396-24645-0x00000000032E0000-0x0000000004B4B000-memory.dmp
memory/1396-24648-0x0000000010000000-0x0000000010006000-memory.dmp
memory/1396-24647-0x0000000010004000-0x0000000010005000-memory.dmp
memory/1396-24646-0x0000000077A51000-0x0000000077B71000-memory.dmp
memory/1396-24649-0x00000000032E0000-0x0000000004B4B000-memory.dmp
memory/3356-24650-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24651-0x0000000001660000-0x0000000002ECB000-memory.dmp
memory/3356-24652-0x0000000077AD8000-0x0000000077AD9000-memory.dmp
memory/3356-24653-0x0000000077AF5000-0x0000000077AF6000-memory.dmp
memory/3356-24663-0x0000000001660000-0x0000000002ECB000-memory.dmp
memory/3356-24669-0x0000000000401000-0x0000000000404000-memory.dmp
memory/3356-24667-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24668-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24670-0x0000000077A51000-0x0000000077B71000-memory.dmp
memory/3356-24671-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24672-0x0000000000401000-0x0000000000404000-memory.dmp
memory/3356-24673-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24674-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24675-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3356-24676-0x0000000001660000-0x0000000002ECB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 19:19
Reported
2024-11-06 19:23
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 19:19
Reported
2024-11-06 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2544 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2544 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |