Anyone have an idea which might have triggered this?

["Kurt Buff - GSEC, GCIH" <kurt.buff () gmail com>]

I was running zenmap against a /24 (excluding my own IP address) doing
the slow comprehensive scan, and it completed successfully around
22:00 Pacific last night.

I left the machine running, and just now (12:40 Pacific) I got an
alert from Carbon Black on this machine:


     12:40:36 pmAug 15, 2019
     nmap.exe (Run as US-IT-LOANERL2\Admin) The application
     C:\Program Files (x86)\Nmap\nmap.exe established a UDP/65495
     connection to 187.1.0.0:65495 (187.1.0.0, located in Itaberaba 05,
     Brazil) from 128.18.255.255:516. The device was on the corporate
     network using the public address xx.yy.zz.aa (128.18.255.255,
     located in Redmond WA, United States). The operation was successful.

The public address "xx.yy.zz.aa" doesn't match the 128.18.255.255
address - I have no idea where that came from.

The only apps running on this machine were Chrome and nmap/zenmap.
It's a Win10 box.

Would this be nmap checking for updates, or something else known to
nmap experts?

Is there any way to trace or determine what nmap might have been doing
during this event?

Thanks,

Kurt
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/