Advanced File Analysis System

File Name: ITParadiseSetup.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 90bed29242832e3d7380e92e7481a73517b81328

MD5: 8440bcebd3cd7291c73c31039e46d1ed

Contacted IPs

Network Port Distribution

IP	Country	ASN	ASN Name	Trigger Process Type
8.8.4.4	United States	15169	Level 3 Parent, LLC	Malware Process
104.18.61.210	United States	13335	Cloudflare, Inc.	Malware Process
104.28.17.56	United States	13335	Cloudflare, Inc.	Malware Process
184.26.44.98	United States	20940	Akamai Technologies, Inc.	OS Process
54.243.250.185	United States	14618	Amazon Technologies Inc.	Malware Process
69.195.158.198	United States	19969	Joe's Datacenter, LLC	Malware Process
192.241.99.194	Canada	55286	B2 Net Solutions Inc.	Malware Process
69.195.158.197		19969	Joe's Datacenter, LLC	Malware Process
178.255.83.1		35838		OS Process
107.21.103.188		14618	Amazon.com, Inc.	Malware Process
184.26.44.105		20940	Akamai Technologies, Inc.	Malware Process
184.26.44.97		20940	Akamai Technologies, Inc.	OS Process
178.255.83.1		35838		OS Process
23.215.99.85		20940	Akamai Technologies, Inc.	OS Process
94.130.73.107		24940		Malware Process
72.21.91.29		15133	MCI Communications Services, Inc. d/b/a Verizon Business	Malware Process
104.28.16.56		13335	Cloudflare, Inc.	Malware Process
85.10.210.166		24940		Malware Process
184.26.44.105		20940	Akamai Technologies, Inc.	Malware Process
104.18.60.210		13335	Cloudflare, Inc.	Malware Process

HTTP Packets

Host	Port	Method	Version	User Agent	Count	Call Time During Execution(Sec)
ctldl.windowsupdate.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	19.6296670437
Path: /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a64d7e59c4e4d02 URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a64d7e59c4e4d02
ocsp.digicert.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	27.399533987
Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8%2F8KeMTc%3D URI: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8%2F8KeMTc%3D
stp-1014845532.us-east-1.elb.amazonaws.com	80	GET	1.1	NSIS_Inetc (Mozilla)	1	31.2993881702
Path: /p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=1&adm=1&quant=1360569703 URI: http://stp-1014845532.us-east-1.elb.amazonaws.com/p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=1&adm=1&quant=1360569703
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	68.0047609806
Path: /pki/crl/products/tspca.crl URI: http://crl.microsoft.com/pki/crl/products/tspca.crl
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	74.1735210419
Path: /pki/crl/products/CodeSignPCA2.crl URI: http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
crl.microsoft.com	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	79.597561121
Path: /pki/crl/products/WinPCA.crl URI: http://crl.microsoft.com/pki/crl/products/WinPCA.crl
crl.globalsign.net	80	GET	1.1	Microsoft-CryptoAPI/6.1	1	86.1752231121
Path: /primobject.crl URI: http://crl.globalsign.net/primobject.crl

DNS Queries/Answers

Request	Type
applicationloft.com	A
Answers - 104.18.61.210 (A) - 104.18.60.210 (A)
ctldl.windowsupdate.com	A
Answers - ctldl.windowsupdate.nsatc.net (CNAME) - 184.26.44.105 (A) - a1621.g.akamai.net (CNAME) - 184.26.44.97 (A) - ctldl.windowsupdate.com.edgesuite.net (CNAME)
ocsp.digicert.com	A
Answers - cs9.wac.phicdn.net (CNAME) - 72.21.91.29 (A)
stp-1014845532.us-east-1.elb.amazonaws.com	A
Answers - 107.21.103.188 (A) - 54.243.250.185 (A)
notification.adblockplus.org	A
Answers - 136.243.58.99 (A) - 78.46.39.215 (A) - 88.99.186.149 (A) - 144.76.20.58 (A) - 88.99.186.151 (A) - 88.99.186.150 (A) - easylist-downloads.adblockplus.org (CNAME) - 5.9.15.86 (A) - 144.76.219.20 (A) - 178.63.70.146 (A) - 94.130.73.107 (A) - 46.4.115.44 (A) - 94.130.73.103 (A)
easylist-downloads.adblockplus.org	A
Answers - 176.9.146.200 (A) - 94.130.73.101 (A) - 176.9.116.83 (A) - 94.130.73.112 (A) - 176.9.127.15 (A) - 176.9.139.5 (A) - 94.130.73.106 (A) - 88.99.186.158 (A) - 144.76.137.234 (A)
easylist-downloads.adblockplus.org	AAAA
Answers - 2a01:4f8:140:30e7::2 (AAAA) - 2a01:4f8:141:132c::2 (AAAA) - 2a01:4f8:192:7126::2 (AAAA) - 2a01:4f8:c0c:2d12::2 (AAAA)
ocsp.comodoca.com	A
Answers - 178.255.83.1 (A)
ocsp.usertrust.com	A
ocsp.comodoca.com	AAAA
Answers - 2a02:1788:2fd::b2ff:5301 (AAAA)
ocsp.usertrust.com	AAAA
secure.informaction.com	A
Answers - 69.195.158.196 (A) - 69.195.158.198 (A) - 69.195.158.195 (A) - 69.195.158.197 (A) - 69.195.158.194 (A)
secure.informaction.com	AAAA
crl.microsoft.com	A
Answers - 184.26.44.98 (A) - crl.www.ms.akadns.net (CNAME) - a1363.dscg.akamai.net (CNAME)
ocsp.int-x3.letsencrypt.org	A
Answers - a771.dscq.akamai.net (CNAME) - 184.26.44.103 (A) - ocsp.int-x3.letsencrypt.org.edgesuite.net (CNAME)
a771.dscq.akamai.net	A
a771.dscq.akamai.net	AAAA
Answers - 2600:140a::48f6:2b38 (AAAA) - 2600:140a::48f6:2b2b (AAAA)
crl.globalsign.net	A
Answers - 104.28.16.56 (A) - 104.28.17.56 (A)

TCP Packets

Call Time During Execution(sec)	Source IP	Dest IP	Dest Port
10.8826069832	Sandbox	104.18.61.210	443
19.6296670437	Sandbox	184.26.44.105	80
27.399533987	Sandbox	72.21.91.29	80
27.6443769932	Sandbox	104.18.61.210	443
28.051156044	Sandbox	104.18.61.210	443
28.4417750835	Sandbox	104.18.61.210	443
31.2993881702	Sandbox	54.243.250.185	80
44.8992869854	Sandbox	5.9.15.86	443
56.14935112	Sandbox	69.195.158.198	443
68.0047609806	Sandbox	184.26.44.98	80
86.1752231121	Sandbox	104.28.17.56	80

UDP Packets

Call Time During Execution(sec)	Source IP	Dest IP	Dest Port
3.1400270462	Sandbox	224.0.0.252	5355
3.17139315605	Sandbox	192.168.56.255	137
3.17231416702	Sandbox	224.0.0.252	5355
3.17777609825	Sandbox	239.255.255.250	3702
5.73581314087	Sandbox	224.0.0.252	5355
6.85425114632	Sandbox	192.168.56.255	138
8.00993013382	Sandbox	224.0.0.252	5355
10.8133120537	Sandbox	8.8.4.4	53
13.8684341908	Sandbox	224.0.0.252	5355
16.8072052002	Sandbox	224.0.0.252	5355
19.524408102	Sandbox	8.8.4.4	53
21.6655991077	Sandbox	224.0.0.252	5355
24.5722100735	Sandbox	224.0.0.252	5355
27.3536100388	Sandbox	8.8.4.4	53
31.2441170216	Sandbox	8.8.4.4	53
44.3145031929	Sandbox	8.8.4.4	53
44.6404030323	Sandbox	8.8.4.4	53
44.664317131	Sandbox	8.8.4.4	53
53.9238860607	Sandbox	8.8.4.4	53
53.9638631344	Sandbox	8.8.4.4	53
54.1275141239	Sandbox	8.8.4.4	53
54.1662931442	Sandbox	8.8.4.4	53
54.1665291786	Sandbox	8.8.4.4	53
54.1771211624	Sandbox	8.8.4.4	53
56.0805470943	Sandbox	8.8.4.4	53
56.1064400673	Sandbox	8.8.4.4	53
56.1317050457	Sandbox	8.8.4.4	53
62.2213420868	Sandbox	224.0.0.252	5355
65.0214681625	Sandbox	224.0.0.252	5355
67.8990960121	Sandbox	8.8.4.4	53
68.8296320438	Sandbox	8.8.4.4	53
68.8607289791	Sandbox	224.0.0.252	5355
68.9721951485	Sandbox	8.8.4.4	53
69.0568900108	Sandbox	8.8.4.4	53
71.4799070358	Sandbox	224.0.0.252	5355
74.2059230804	Sandbox	224.0.0.252	5355
76.9593970776	Sandbox	224.0.0.252	5355
79.9207391739	Sandbox	224.0.0.252	5355
83.4357681274	Sandbox	224.0.0.252	5355
86.1303670406	Sandbox	8.8.4.4	53

Loading...