Analysis Overview
SHA256
6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4
Threat Level: Known bad
The file 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Guloader family
Remcos
Guloader,Cloudeye
NirSoft WebBrowserPassView
NirSoft MailPassView
Detected Nirsoft tools
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 03:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 03:11
Reported
2024-12-17 03:14
Platform
win7-20240903-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\jhvfzkxcdvaqagzsjapu"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\tkjysciwrdsdcuveslcvjoip"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\veoitvtxflkinajijwwxubcgdte"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 162.251.122.87:2404 | tcp | |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsoE68A.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
\Users\Admin\AppData\Local\Temp\nstE6AA.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 8ce4b16b22b58894aa86c421e8759df3 |
| SHA1 | 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c |
| SHA256 | 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a |
| SHA512 | 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25 |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 25bc6654798eb508fa0b6343212a74fe |
| SHA1 | 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93 |
| SHA256 | 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc |
| SHA512 | 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898 |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 2b3884fe02299c565e1c37ee7ef99293 |
| SHA1 | d8e2ef2a52083f6df210109fea53860ea227af9c |
| SHA256 | ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858 |
| SHA512 | aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | c3cb69218b85c3260387fb582cb518dd |
| SHA1 | 961c892ded09a4cbb5392097bb845ccba65902ad |
| SHA256 | 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101 |
| SHA512 | 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422 |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 67cfa7364c4cf265b047d87ff2e673ae |
| SHA1 | 56e27889277981a9b63fcf5b218744a125bbc2fa |
| SHA256 | 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713 |
| SHA512 | 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 50484c19f1afdaf3841a0d821ed393d2 |
| SHA1 | c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b |
| SHA256 | 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c |
| SHA512 | d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | e2fecc970546c3418917879fe354826c |
| SHA1 | 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16 |
| SHA256 | ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0 |
| SHA512 | 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | cde63b34c142af0a38cbe83791c964f8 |
| SHA1 | ece2b194b486118b40ad12c1f0e9425dd0672424 |
| SHA256 | 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d |
| SHA512 | 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c |
C:\Users\Admin\AppData\Local\Temp\nsjE759.tmp
| MD5 | 4e27f2226785e9abbe046fc592668860 |
| SHA1 | 28b18a7f383131df509f7191f946a32c5a2e410c |
| SHA256 | 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d |
| SHA512 | 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb |
memory/2748-577-0x0000000003DB0000-0x000000000498F000-memory.dmp
memory/2748-578-0x0000000077221000-0x0000000077322000-memory.dmp
memory/2748-579-0x0000000077220000-0x00000000773C9000-memory.dmp
memory/2748-580-0x0000000003DB0000-0x000000000498F000-memory.dmp
memory/2748-581-0x0000000003DB0000-0x000000000498F000-memory.dmp
memory/1008-582-0x0000000077220000-0x00000000773C9000-memory.dmp
memory/1008-584-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-588-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1924-589-0x0000000000400000-0x0000000000478000-memory.dmp
memory/908-595-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1880-599-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1924-598-0x0000000077220000-0x00000000773C9000-memory.dmp
memory/908-597-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1924-596-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1924-594-0x0000000000400000-0x0000000000478000-memory.dmp
memory/908-593-0x0000000000400000-0x0000000000462000-memory.dmp
memory/908-590-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1924-592-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1880-601-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1880-605-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1880-602-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1880-600-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1924-610-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhvfzkxcdvaqagzsjapu
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/908-614-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1008-616-0x0000000031BA0000-0x0000000031BB9000-memory.dmp
memory/1008-619-0x0000000031BA0000-0x0000000031BB9000-memory.dmp
memory/1008-620-0x0000000031BA0000-0x0000000031BB9000-memory.dmp
memory/1008-622-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-625-0x0000000000480000-0x00000000014E2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | cc9871db2dacd87388b38347b46e2db9 |
| SHA1 | 5631964d19a384bed1a9302c44600788e5091959 |
| SHA256 | ea07932621181a337453f8415685b22bec16ab989127666a23bba45c251b1846 |
| SHA512 | 1a2f1d274dbc03c36bad1e1cc93b566fbb93dd45b6817c710ce9be8010e3ef96bbb323d9aaff8f33478faaf3e089c83a148e1786fabf1602acd8d943009adb24 |
memory/1008-628-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-631-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-634-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-637-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-640-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-643-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-646-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-649-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-652-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1008-655-0x0000000000480000-0x00000000014E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-17 03:11
Reported
2024-12-17 03:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\sirz"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\udxrqts"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\efkcrldkgo"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 8.8.8.8:53 | 30.187.63.66.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 87.122.251.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss8DDA.tmp
| MD5 | 44faec7c0702b7ef4cda5820a608da0a |
| SHA1 | 10313d20436f6968228a07ad4dfad29f37e6532d |
| SHA256 | c9eb8d8cea8dd215bb20f4674c6b4b3ea865cc9390eb982c501af89142dfd95d |
| SHA512 | dd2bf84c8609abd2f9acc8f45ead13f65f2f804cc2951774b857c0a86616d2a4656a88af4d8277e71bb3bf34afd065ed4dd62577f215f8e4b2f6683967db3a39 |
C:\Users\Admin\AppData\Local\Temp\nss8DDA.tmp
| MD5 | d4e73c2e024084f8a99a4d7f7b87c125 |
| SHA1 | cd36a406008d290ca754788594cf3d8eeba58169 |
| SHA256 | dbcd27d2bc601f3f5e3eb88dd23dece5d924d6840f6ec9f6004d0f79ad260f20 |
| SHA512 | 7f7c87fc47e1f0dec6a83b366c8c71bc10e0664a786f80875e1878070be556adb766d4ab1069e47b592949a35141c0079b4b1f78787279115a3e94b91ada15ed |
C:\Users\Admin\AppData\Local\Temp\nss8DDA.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
C:\Users\Admin\AppData\Local\Temp\nss8E29.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nss8E2A.tmp
| MD5 | 3d4b43e24f8a5cb80bba86e69735e146 |
| SHA1 | caaa79191da01e6cdd282f084dd7299c54a57dfe |
| SHA256 | 54f4b8891dda2b1f31a6b798b8ef5e253f79173727341309c86f50191584a3eb |
| SHA512 | 6d34fba9a130aaff8dba31f64f7f0c4168134092428661adf9906826e39d497754927a479dcfe0809101b6da0a1d7c08cbb53ccc74c371edbf01c054c7bce4a2 |
C:\Users\Admin\AppData\Local\Temp\nss8E2A.tmp
| MD5 | d0c16d35895f4a76cb4fa85fc11c6842 |
| SHA1 | 61d36c5b3fd3f0772608359b7ed9890b0474aee0 |
| SHA256 | d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59 |
| SHA512 | 3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951 |
C:\Users\Admin\AppData\Local\Temp\nss8E2A.tmp
| MD5 | 0553e87a8f74189e757bfada8ab0ab9e |
| SHA1 | f4c99fe7e957926b88a46ae93d2f02b855f6d88f |
| SHA256 | 2ccb8084cb357c920cad749dcb3a4c25339f530c9947dfc8e1f1d54cb7b0ce24 |
| SHA512 | 8df3168e8f53b40ddf4b2e83d4e3cad2c88edfb484292e263ee5264d7992af6f1aa8a3618f5e90a02082a3642a894bfae43853b35abaef833a8aa5b590fc70fc |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | 2b3884fe02299c565e1c37ee7ef99293 |
| SHA1 | d8e2ef2a52083f6df210109fea53860ea227af9c |
| SHA256 | ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858 |
| SHA512 | aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe |
C:\Users\Admin\AppData\Local\Temp\nss8E2A.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | cd0c38af71efb097ce402c588b17ff09 |
| SHA1 | 8da4e54a7b95932f752a88ea416fa31d0c7c2fbe |
| SHA256 | 1630fc3705a57982a8939a6550615a92d8998f0c3394caeca0ae3019427ec50a |
| SHA512 | 03603368dbca419de6ad8ef10bb6c9670e83f06d2b3b7d7b5ebccf255473d7abb1cca1c7e0f2c2d49cd3f84c599ee5e71b03582567c95f3f76d5e54931a6ed06 |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | 1a976b081f77c04dad951286222ed3da |
| SHA1 | 1fd2c47eab6b8b5ee42fee2f8238bd065881d99d |
| SHA256 | d7c42493656ae25d5a3ff0b7fa739e43557d2c54a82833c8782ddbe8d364816d |
| SHA512 | e087d4f397761e3525241f2610f8be1bd46533905fc0bf39435127e1341c1f4c21fc1d2f1b213d78b0505d8bafbc4f797b85537601a0f186850457d3d2847a23 |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | ff694d40658a78af93bc3729f9cf9e47 |
| SHA1 | e19d173c19a13a0dc40061755f3cc7d0ed7f42a2 |
| SHA256 | 13a077292df4f2bece2cfa61f6584dcc2484942fa98c665bb0c6b415cf3dc530 |
| SHA512 | c7461bc592f8bcc12e31e5fcf589afca12f4e7bd39c7ba931be5b11a7444f12e7909479a9af582fd0a41374cbfac81bea9365d658d475a6c975cc042b3658892 |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | 46c9f46c67dd1cd25dfe48a15217c54d |
| SHA1 | bbaaaea3ae1bb5fcb0267af4506d9b0edf6e6c30 |
| SHA256 | 1a55aff03539cb6a7bebc0e290deae978579c71f52d49da5b49f0d32a47a0e75 |
| SHA512 | d779b4dbb91b342efd152f260d281de7e819586d2a74f49893dc471b4e280c4c45799197cf0ed5c7acab8f9c78d6d1bd89a2b7f4c5ba4204403e353a7fa1cd0b |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | 5dc019b4f392261ce4a83cd5d9bb0389 |
| SHA1 | 4ff335460061d035ffdd61d7fc00500609f98219 |
| SHA256 | ec1ccdb53b5b0a137dd84f8a1e1e97d5d1423e1d307334a2a6a6b11abdb0797c |
| SHA512 | 52586efdd4eb37ff18fd6a0938de35a62fd95d6ca1fb856fd08ce7f2901d60fc64862e81e97250e13c5e638289a10152ee62a531b508da35d5ec75d6664b0d6c |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | e361d048efa63c0cee2735df23dd8132 |
| SHA1 | 3a54d5b813d0f9cd7c759239070ca58162eaab04 |
| SHA256 | 34a5c27d796bf6c11fc75524c481b9d46699385fc65dd88b3502dc008e512da8 |
| SHA512 | 8a0f5d41c713ca82117a8d95899bfcb49290445cfc871986fcbc1853e9bd2ad6ee4501457a804b89e40a6f27c02ccbf72606db50282906abd1319f450db70063 |
C:\Users\Admin\AppData\Local\Temp\nsd8E6A.tmp
| MD5 | df8379d971f8775d91cd01506f558897 |
| SHA1 | e28ff2839b7cf171ce3540cb2de64fa18db9b12c |
| SHA256 | ae63da186497c9240a3af76e8e52198426c3492aa7dcc62e8910405ef981ecec |
| SHA512 | ac091f635bc253fed0c5c9e516f4e58968033793c66b2ec3e5ed31aa42d63667d85f1661ca6fbe8cfc28ad59b07d903556987c7f79aa59610934c3d6f6f60f02 |
C:\Users\Admin\AppData\Local\Temp\nsd8EB9.tmp
| MD5 | 4e27f2226785e9abbe046fc592668860 |
| SHA1 | 28b18a7f383131df509f7191f946a32c5a2e410c |
| SHA256 | 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d |
| SHA512 | 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb |
C:\Users\Admin\AppData\Local\Temp\nsd8EB9.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
C:\Users\Admin\AppData\Local\Temp\nsd8EB9.tmp
| MD5 | c69f9017146365e0214351f8fe3c5837 |
| SHA1 | 1653405a133cee32745a9a2bffaeca4429d95532 |
| SHA256 | e7137bbf941ddb679efbbb3043769122f659a0932d056894f411b734fb1ffddd |
| SHA512 | fa5a9dad8862c6614fd148c9800f3aec0b2a842f1f3ee47f22bbc426133bd7659bdb2cfac45d25288ea6a4c4f1b29163b8ae764c0d15c008935a7b9606c67977 |
C:\Users\Admin\AppData\Local\Temp\nsd8EB9.tmp
| MD5 | d91b36c3a41e5a06ea023fa1753667ba |
| SHA1 | 55885b7bcd9fad560c911764bce9f0807956cf90 |
| SHA256 | 42152ac4315449743532254f33ff89ea4110594a419ebfee94cc42875ced9740 |
| SHA512 | ccd312e74327d4fd737a96781ecf7ccc76380de77f6fc229d31763b69c6bc4443e18608e926d23a8c29920c793cd342b0551eb6a656531170196d884ac145afc |
C:\Users\Admin\AppData\Local\Temp\nsd8EB9.tmp
| MD5 | 7b4046c5a8f7d1e52d59a2d62875242d |
| SHA1 | d9666cfe818722237f5b4e24f325e93ec720bc4c |
| SHA256 | 06a11b66f58bb1d70fbbbd450764a7b490d0769d204abfbe76453d3d2db8f4e6 |
| SHA512 | afca2281c27980ccb53cd89505d05a4c64b69df5f74eac1285b826f60619fbce5e40eb36f3dddfabc8ea61ca901e9765aa0491cd712abe55209d018e452e7a26 |
C:\Users\Admin\AppData\Local\Temp\nst8F18.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/3148-575-0x0000000004A50000-0x000000000562F000-memory.dmp
memory/3148-576-0x0000000077981000-0x0000000077AA1000-memory.dmp
memory/3148-577-0x0000000010004000-0x0000000010005000-memory.dmp
memory/3148-578-0x0000000004A50000-0x000000000562F000-memory.dmp
memory/4676-579-0x00000000016E0000-0x00000000022BF000-memory.dmp
memory/4676-580-0x0000000077A08000-0x0000000077A09000-memory.dmp
memory/4676-581-0x0000000077A25000-0x0000000077A26000-memory.dmp
memory/4676-582-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-587-0x0000000077981000-0x0000000077AA1000-memory.dmp
memory/4676-586-0x00000000016E0000-0x00000000022BF000-memory.dmp
memory/540-589-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4440-591-0x0000000000400000-0x0000000000462000-memory.dmp
memory/540-593-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4440-595-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3796-599-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3796-601-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3796-603-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4440-598-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4440-597-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3796-600-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4440-594-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4676-592-0x0000000077981000-0x0000000077AA1000-memory.dmp
memory/4676-590-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/540-605-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4676-611-0x00000000334F0000-0x0000000033509000-memory.dmp
memory/4676-610-0x00000000334F0000-0x0000000033509000-memory.dmp
memory/4676-607-0x00000000334F0000-0x0000000033509000-memory.dmp
memory/4676-614-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-617-0x0000000000480000-0x00000000016D4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 3b654dd71674eb9add7925e7f4e7c383 |
| SHA1 | bbd3526bf7dbde0c650c83212cb1ea8e09d9440f |
| SHA256 | 655b3496858fdd9546c498ed34d862aa1b6f6bfa6364858bdd9b88bd93d7878f |
| SHA512 | c03f3f811562d509e4be3acd63488fde05f2d241671ada2129bce2c7efcf784fbbbef3c8d70181e83d69853eb99b0c232a3e2106a056f403b6027b61f854150e |
memory/4676-620-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-632-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-635-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-638-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-641-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-644-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4676-647-0x0000000000480000-0x00000000016D4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-17 03:11
Reported
2024-12-17 03:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-17 03:11
Reported
2024-12-17 03:14
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2312 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2312 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2312 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |