Analysis Overview
SHA256
6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4
Threat Level: Known bad
The file 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4 was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Guloader family
Remcos
Remcos family
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 19:47
Reported
2024-12-17 19:50
Platform
win7-20240903-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\nsuokfchgnmeuhixosxqwaumzynh"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\xuhhdxniuvejwvebfdkszeovieeicixt"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\iomz"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 162.251.122.87:2404 | tcp | |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyF827.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 8ce4b16b22b58894aa86c421e8759df3 |
| SHA1 | 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c |
| SHA256 | 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a |
| SHA512 | 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25 |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 25bc6654798eb508fa0b6343212a74fe |
| SHA1 | 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93 |
| SHA256 | 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc |
| SHA512 | 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898 |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 4e27f2226785e9abbe046fc592668860 |
| SHA1 | 28b18a7f383131df509f7191f946a32c5a2e410c |
| SHA256 | 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d |
| SHA512 | 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | cde63b34c142af0a38cbe83791c964f8 |
| SHA1 | ece2b194b486118b40ad12c1f0e9425dd0672424 |
| SHA256 | 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d |
| SHA512 | 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | e2fecc970546c3418917879fe354826c |
| SHA1 | 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16 |
| SHA256 | ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0 |
| SHA512 | 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 50484c19f1afdaf3841a0d821ed393d2 |
| SHA1 | c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b |
| SHA256 | 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c |
| SHA512 | d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 67cfa7364c4cf265b047d87ff2e673ae |
| SHA1 | 56e27889277981a9b63fcf5b218744a125bbc2fa |
| SHA256 | 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713 |
| SHA512 | 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | c3cb69218b85c3260387fb582cb518dd |
| SHA1 | 961c892ded09a4cbb5392097bb845ccba65902ad |
| SHA256 | 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101 |
| SHA512 | 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422 |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 2b3884fe02299c565e1c37ee7ef99293 |
| SHA1 | d8e2ef2a52083f6df210109fea53860ea227af9c |
| SHA256 | ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858 |
| SHA512 | aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe |
C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
memory/1964-577-0x0000000004030000-0x0000000004C0F000-memory.dmp
memory/1964-578-0x0000000076D11000-0x0000000076E12000-memory.dmp
memory/1964-579-0x0000000076D10000-0x0000000076EB9000-memory.dmp
memory/1964-580-0x0000000004030000-0x0000000004C0F000-memory.dmp
memory/1964-581-0x0000000004030000-0x0000000004C0F000-memory.dmp
memory/2908-582-0x0000000076D10000-0x0000000076EB9000-memory.dmp
memory/2908-583-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-584-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1380-591-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1240-592-0x0000000000400000-0x0000000000478000-memory.dmp
memory/980-599-0x0000000000400000-0x0000000000424000-memory.dmp
memory/980-602-0x0000000000400000-0x0000000000424000-memory.dmp
memory/980-601-0x0000000000400000-0x0000000000424000-memory.dmp
memory/980-600-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1380-598-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1240-597-0x0000000076D10000-0x0000000076EB9000-memory.dmp
memory/1240-596-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1240-595-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1380-594-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1380-593-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1240-589-0x0000000000400000-0x0000000000478000-memory.dmp
memory/980-605-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1240-610-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsuokfchgnmeuhixosxqwaumzynh
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1380-614-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2908-616-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-617-0x0000000033080000-0x0000000033099000-memory.dmp
memory/2908-621-0x0000000033080000-0x0000000033099000-memory.dmp
memory/2908-620-0x0000000033080000-0x0000000033099000-memory.dmp
memory/2908-624-0x0000000000480000-0x00000000014E2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | d6bc8017fa2d97fda7fff520ad8dd674 |
| SHA1 | 4b2a94aefd11b284392d804b6b7842073d31e20b |
| SHA256 | 53b662f3f47adbf4723ccafcf0cc2d0e0ca63a2040bb00094544046434cd9147 |
| SHA512 | a4f8dfc898ade6cf3273f66a6373230742deb2cb7a9b9af78734cfbf1ce41280da94d1c3ed4a7139aebb6ef2b3d85f9dd3833af254eeeb1db343f87e30235752 |
memory/2908-627-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-630-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-633-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-636-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-639-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-642-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-645-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2908-648-0x0000000000480000-0x00000000014E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-17 19:47
Reported
2024-12-17 19:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\rwinsbyuadchbmidwkmayvakevywc"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\cznfttqwolullswpnuhbbautfjqxvqyz"
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtbqu"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.187.63.66.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 87.122.251.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp
| MD5 | 903e0572b61353c5e9e2f94582bd26d9 |
| SHA1 | bf6d18b2607a519c4486e845921b7070e53cb8eb |
| SHA256 | fcc0de8ebc57a00f3f48bc8ba2e93cedc7efe9ecc9600ad63cdd1ba1d6c4fdea |
| SHA512 | 3857e85783aa8af1cd075e91729bfd471c3df9d93d944501bf8bd663df9ad1348ee9d81403505851d468beaea9a3ac0ad6799eb4b2e328176c27d32cdf206b94 |
C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp
| MD5 | 814da453daa6269ca4ed4cd15266b28c |
| SHA1 | 82981f8c0d5d3ffccbf06fff867f8c3b1aaa454b |
| SHA256 | 791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743 |
| SHA512 | 3336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948 |
C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
C:\Users\Admin\AppData\Local\Temp\nsgBB83.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 749841d5d4f33aa61da2072ca8c75d85 |
| SHA1 | ed779369af6004bb662353a1a1688de21c9d5964 |
| SHA256 | 05ec837bf0f57ead1b3fae5bec24f103831be6946eda1fe4cec3700ae019b117 |
| SHA512 | 07884f39b2b1646dbad182d39167df36cb86fd3751b5c125b84ab3b3594dd0f6884d73f7f65d099e2874a0a73f8a76d7610b3ab30e174945a70073176e07b886 |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 3e930ca30f900b15da4ef96902f9b347 |
| SHA1 | 92c4cd5b76b9be895152fdb3adcd165192daa552 |
| SHA256 | 688f5bdbcde116a168af5f0ea57296f14181abe8fb92292eaf11febd498e3d42 |
| SHA512 | 40bcbeea8dcf22201d275e68be32deadc953a2383f11788947d10aabf4469d61d8e3b86ded7e7369a9d413974d90e628aa1a4a6e6bc2b60c2de20bbd896fd489 |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 088d509592627d226179707a88a1f4ee |
| SHA1 | 8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4 |
| SHA256 | 7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d |
| SHA512 | f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 1aeb67240bc704bf6cc2fa0a6f52a970 |
| SHA1 | 0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d |
| SHA256 | bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d |
| SHA512 | c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c |
C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp
| MD5 | 558ec0e73952eb4a395e7f17eb69221e |
| SHA1 | d1cb97bfc8d9fad9eab7d19e685029b5f7084709 |
| SHA256 | 4d8a1cb0f83d824cec9e15e4d45605ed2cc92ae959602d0cc8873b0125d4cd74 |
| SHA512 | 698fb90fadb2b22ce78f874dac04c2f0bf72340d39f135e7736afdb9a9b28c9c55a8c6c9f871676134e6d057a90afc2944d1f1e8a117cc0f7a90c8d9b60c5dbe |
C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp
| MD5 | adfb82dfa0a66bd7e108a83873cbd4cf |
| SHA1 | caaf90327bb1e7b6731e154351f351bf3a3bb1c4 |
| SHA256 | 2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228 |
| SHA512 | 103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b |
C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp
| MD5 | 7982b73098961cce471cecdc33aa7bbb |
| SHA1 | 737a12718c3514cbd45d67ab94b567d1efafc879 |
| SHA256 | 6200b359a17d741c230d3208b9d12c3895194d6ac646289021948c03b8fe26d5 |
| SHA512 | b84043c3b4f41e7f5f82e9ba0d1a461f20b85260f6b2a0ded03da4e7cd2d635d0b292738fdb6a0eaace97e2dadd6d02d239ec1e8b7ac9dc59cb24966e82e0a42 |
C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp
| MD5 | ec01133e3c51113d5e323255076c8eb9 |
| SHA1 | 7ad186ced7288ca1fe7b48d41ce6b7a778676cd7 |
| SHA256 | a643b23096ea0159d733afa20a64421a386c26e86b8bfddd0ccb18c3b58feef4 |
| SHA512 | 7e4a43ac6c968540a0a3cb37ce2ca7ddf1314139db166147ab0a2256126e6b447b6450a6cae992e735f8daa572aa3c00c9375a1af5cdc4304af8da5d11be3ff7 |
C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp
| MD5 | 2b3884fe02299c565e1c37ee7ef99293 |
| SHA1 | d8e2ef2a52083f6df210109fea53860ea227af9c |
| SHA256 | ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858 |
| SHA512 | aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe |
C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp
| MD5 | df8379d971f8775d91cd01506f558897 |
| SHA1 | e28ff2839b7cf171ce3540cb2de64fa18db9b12c |
| SHA256 | ae63da186497c9240a3af76e8e52198426c3492aa7dcc62e8910405ef981ecec |
| SHA512 | ac091f635bc253fed0c5c9e516f4e58968033793c66b2ec3e5ed31aa42d63667d85f1661ca6fbe8cfc28ad59b07d903556987c7f79aa59610934c3d6f6f60f02 |
C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp
| MD5 | 25f205f6839d0787565c29c38a66e75e |
| SHA1 | a2fbad8a011fe9e90a71727905ab119dd3c39b0f |
| SHA256 | e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2 |
| SHA512 | 24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495 |
C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp
| MD5 | d52de89f9a53448452938d5bef6370af |
| SHA1 | 0a5e19717c5f25862231235165135923d3a3f6af |
| SHA256 | 8f38876522a41713735c750b50769955e309c3d608811003b6d16ca5f4b80282 |
| SHA512 | 568e7cdea808709be892eacc59033688c4f7352a395aefbfc618519142136538c6220ca00b10abfc44e34e9d635dd72c5b51eefae2ab2a873149523c425f51f9 |
C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp
| MD5 | 4ff83567cd3f682cb62e957f312f61a0 |
| SHA1 | 5bb6b4b35e74fb335211813b25025166939ddf10 |
| SHA256 | 9a2382a1ededef09ef70d6dfcea50be1594799e518a9f89c111875301539a2ae |
| SHA512 | e7fbb21a2eaee93f4f607b77476c8605a7233cb16c0ef576fac05235252c5a0dab338277749a9a38babf9163d9d582d481e2a739ebbb578bfb3b813fc36a678e |
C:\Users\Admin\AppData\Local\Temp\nsmBCDF.tmp
| MD5 | bc86ffa91686a2ee2ac3cc3d50c4389e |
| SHA1 | 6d81aa156225f8df56a7711519ac3ff87abec24f |
| SHA256 | 9e56c757510a69c7ee47407dbda53e8d8b983755854362df4dbcad941696dceb |
| SHA512 | 5c54242e478199a95f615af1ac74fda63f4a1a1e22ef5799dc552ed432320adb20df54f9083cee1ee7c2d8ef2792f0f12e579229b7c64ffb74952e3044f4b7ff |
C:\Users\Admin\AppData\Local\Temp\nsmBCDF.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/4828-575-0x0000000004A10000-0x00000000055EF000-memory.dmp
memory/4828-576-0x00000000773C1000-0x00000000774E1000-memory.dmp
memory/4828-577-0x0000000004A10000-0x00000000055EF000-memory.dmp
memory/4828-578-0x0000000010004000-0x0000000010005000-memory.dmp
memory/1824-580-0x00000000016E0000-0x00000000022BF000-memory.dmp
memory/4828-579-0x0000000004A10000-0x00000000055EF000-memory.dmp
memory/1824-581-0x0000000077448000-0x0000000077449000-memory.dmp
memory/1824-583-0x0000000077465000-0x0000000077466000-memory.dmp
memory/1824-582-0x00000000016E0000-0x00000000022BF000-memory.dmp
memory/1824-588-0x00000000773C1000-0x00000000774E1000-memory.dmp
memory/1824-584-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-589-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1376-591-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1376-601-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2736-602-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4432-605-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4432-611-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4432-609-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4432-604-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4432-603-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1824-599-0x00000000773C1000-0x00000000774E1000-memory.dmp
memory/1376-597-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2736-598-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2736-596-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1376-595-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2736-593-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1376-614-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rwinsbyuadchbmidwkmayvakevywc
| MD5 | 79f35c7500a5cc739c1974804710441f |
| SHA1 | 24fdf1fa45049fc1a83925c45357bc3058bad060 |
| SHA256 | 897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4 |
| SHA512 | 03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e |
memory/1824-617-0x00000000332B0000-0x00000000332C9000-memory.dmp
memory/1824-621-0x00000000332B0000-0x00000000332C9000-memory.dmp
memory/1824-620-0x00000000332B0000-0x00000000332C9000-memory.dmp
memory/1824-624-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-627-0x0000000000480000-0x00000000016D4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 35b48c45997d59f62beafbde25ee9baa |
| SHA1 | 2de919be0898a1f4bbda2ef613f6a9c7f24c1eaa |
| SHA256 | 94401a1d7af2fff5422f6c5749dc7305c562ad17fabcac072a8c61100c561840 |
| SHA512 | 2917bae5129938a0dc3901c435f317518b48fd1db2ebeebca58e0605c8dc892b6b3b95f8c484cd86e65a51b3158f7f6558741ee283f3c5f91d7231bff3aa3b9d |
memory/1824-630-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-633-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-636-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-639-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-642-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-645-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-648-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-651-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-654-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1824-657-0x0000000000480000-0x00000000016D4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-17 19:47
Reported
2024-12-17 19:50
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-17 19:47
Reported
2024-12-17 19:50
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 4904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4744 wrote to memory of 4904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4744 wrote to memory of 4904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4904 -ip 4904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |