Advanced File Analysis System

Contacted IPs

Network Port Distribution

Name	IP	Country	ASN	ASN Name	Trigger Process Type
	8.8.4.4	United States	15169	Level 3 Parent, LLC	Malware Process
	104.18.20.226	United States	13335	Cloudflare, Inc.	Malware Process
	23.215.131.176	United States	20940	Akamai Technologies, Inc.	OS Process
	23.215.131.200	United States	20940	Akamai Technologies, Inc.	OS Process
	23.23.157.142	United States	14618	Amazon.com, Inc.	Malware Process
crl.globalsign.net	104.18.21.226	United States	13335	Cloudflare, Inc.	Malware Process
crl.microsoft.com	63.238.216.200	United States	209	Qwest Communications Company, LLC	OS Process
ocsp.digicert.com	72.21.91.29	United States	15133	MCI Communications Services, Inc. d/b/a Verizon Business	Malware Process
storage.googleapis.com	172.217.12.176	United States	15169	Google LLC	Malware Process
ctldl.windowsupdate.com	184.24.97.176	United States	20940	Akamai Technologies, Inc.	OS Process
api.raygun.io	54.243.218.230	United States	14618	Amazon Technologies Inc.	Malware Process

HTTP Packets

Host	Port	Method	Version	User Agent	Count	Call Time During Execution(Sec)
ctldl.windowsupdate.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	14.8448390961
Path: /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5214f422c8e1da2d URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5214f422c8e1da2d
ctldl.windowsupdate.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	20.185049057
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?1932ba0be8ccc86d URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1932ba0be8ccc86d
ocsp.digicert.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	25.6093070507
Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEA3Q4zdKyVvb%2BmtDSypI7AY%3D URI: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEA3Q4zdKyVvb%2BmtDSypI7AY%3D
ocsp.digicert.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	30.8133530617
Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSHRqVSKsocqbcuJkRZwJjSAmttHAQUrWkGcPyAGxazqRiUa5QChl73J4wCEA8DpEdAc3HbUzijkx9jirc%3D URI: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSHRqVSKsocqbcuJkRZwJjSAmttHAQUrWkGcPyAGxazqRiUa5QChl73J4wCEA8DpEdAc3HbUzijkx9jirc%3D
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	69.8760750294
Path: /pki/crl/products/tspca.crl URI: http://crl.microsoft.com/pki/crl/products/tspca.crl
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	75.591643095
Path: /pki/crl/products/CodeSignPCA2.crl URI: http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
storage.googleapis.com	80	GET	1.1		1	77.4215579033
Path: /ss-installers/windows/avirasdk/3.0.0/avira32redist.zip URI: http://storage.googleapis.com/ss-installers/windows/avirasdk/3.0.0/avira32redist.zip
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	81.6734809875
Path: /pki/crl/products/WinPCA.crl URI: http://crl.microsoft.com/pki/crl/products/WinPCA.crl
crl.globalsign.net	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	88.5741620064
Path: /primobject.crl URI: http://crl.globalsign.net/primobject.crl
storage.googleapis.com	80	HEAD	1.1		1	100.901161909
Path: /savapi/vdf.zip URI: http://storage.googleapis.com/savapi/vdf.zip
storage.googleapis.com	80	GET	1.1		1	100.940212965
Path: /savapi/vdf.zip URI: http://storage.googleapis.com/savapi/vdf.zip

DNS Queries/Answers

Request	Type
ctldl.windowsupdate.com	A
Answers - ctldl.windowsupdate.nsatc.net (CNAME) - 23.215.131.176 (A) - a1621.g.akamai.net (CNAME) - ctldl.windowsupdate.com.edgesuite.net (CNAME) - 23.215.131.169 (A)
ocsp.digicert.com	A
Answers - cs9.wac.phicdn.net (CNAME) - 72.21.91.29 (A)
crl.microsoft.com	A
Answers - crl.www.ms.akadns.net (CNAME) - 23.215.131.200 (A) - 23.215.131.195 (A) - a1363.dscg.akamai.net (CNAME)
storage.googleapis.com	A
Answers - storage.l.googleusercontent.com (CNAME) - 172.217.12.176 (A)
crl.globalsign.net	A
Answers - 104.18.21.226 (A) - global.prd.cdn.globalsign.com (CNAME) - cdn.globalsigncdn.com.cdn.cloudflare.net (CNAME) - 104.18.20.226 (A)
api.raygun.io	A
Answers - raygun-api-763117148.us-east-1.elb.amazonaws.com (CNAME) - 174.129.18.184 (A) - 54.243.47.173 (A) - 23.23.157.142 (A) - 54.243.218.230 (A)

TCP Packets

Call Time During Execution(sec)	Source IP	Dest IP	Dest Port
14.8448390961	Sandbox	23.215.131.176	80
20.185049057	Sandbox	23.215.131.176	80
25.6093070507	Sandbox	72.21.91.29	80
69.8760750294	Sandbox	23.215.131.200	80
77.4215579033	Sandbox	172.217.12.176	80
88.5741620064	Sandbox	104.18.20.226	80
101.382941008	Sandbox	192.168.56.9	49249
152.438287973	Sandbox	23.23.157.142	443

UDP Packets

Call Time During Execution(sec)	Source IP	Dest IP	Dest Port
3.1119120121	Sandbox	192.168.56.255	137
3.20403194427	Sandbox	224.0.0.252	5355
3.20430803299	Sandbox	224.0.0.252	5355
3.62535691261	Sandbox	239.255.255.250	3702
5.76714992523	Sandbox	224.0.0.252	5355
9.15719604492	Sandbox	192.168.56.255	138
9.63107609749	Sandbox	224.0.0.252	5355
12.2271358967	Sandbox	224.0.0.252	5355
14.7877669334	Sandbox	8.8.4.4	53
15.0484728813	Sandbox	224.0.0.252	5355
17.6236178875	Sandbox	224.0.0.252	5355
20.4292578697	Sandbox	224.0.0.252	5355
22.9976608753	Sandbox	224.0.0.252	5355
25.5487699509	Sandbox	8.8.4.4	53
25.6967160702	Sandbox	224.0.0.252	5355
28.264029026	Sandbox	224.0.0.252	5355
64.0723938942	Sandbox	224.0.0.252	5355
67.1836988926	Sandbox	224.0.0.252	5355
69.8032031059	Sandbox	8.8.4.4	53
70.215446949	Sandbox	224.0.0.252	5355
73.0166919231	Sandbox	224.0.0.252	5355
74.3376069069	Sandbox	224.0.0.252	5355
75.9590499401	Sandbox	224.0.0.252	5355
77.3611409664	Sandbox	8.8.4.4	53
79.0475780964	Sandbox	224.0.0.252	5355
82.4072289467	Sandbox	224.0.0.252	5355
85.5330879688	Sandbox	224.0.0.252	5355
88.2544338703	Sandbox	8.8.4.4	53
152.275830984	Sandbox	8.8.4.4	53

File Name: 67eb0a16282599d3ead2977d264598fa31dd83f0

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

SHA1: 67eb0a16282599d3ead2977d264598fa31dd83f0

MD5: ecebc09fec5652d173f5287faafb9c57