Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 5, 2021, 9:39 p.m.	June 5, 2021, 9:41 p.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`046657092920bc79f132b58cbf8be510`
SHA256	`5bc1d2717cec8a09816e8f35260d2f1e8f6a04f3ccd0ba0e39fb8c67ca37ea54`
CRC32	`B836FD6D`
ssdeep	`98304:RFfi+d5K+WFgVx9clkKllOu/VZzWpbCIUdVfmP4vTZhUjsQpu:RdrZuYcRvb/v69OfzvTEXk`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

GirafficInstall1.0.0.17NoSign.exe "C:\Users\test22\AppData\Local\Temp\GirafficInstall1.0.0.17NoSign.exe"
7132
- AgentInstall.exe "C:\Program Files (x86)\Giraffic\AgentInstall.exe" /S
  7400
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\tempfile.ps1"
  8752
- GirafficTray.exe "C:\Program Files (x86)\Giraffic\GirafficTray.exe"
  7532
  - GirafficTrayUpdate.exe "C:\Users\test22\AppData\Local\Temp\GirafficTrayUpdate\GirafficTrayUpdate.exe" /UPDATE_WAIT "C:\Program Files (x86)\Giraffic\GirafficTray.exe" 1613747642
    3464
    - GirafficTray.exe "C:\Program Files (x86)\Giraffic\GirafficTray.exe"
      8836

Name	Response	Post-Analysis Lookup
ping.giraffic.com	CNAME mlb-127500491.eu-west-1.elb.amazonaws.com CNAME mlb.giraffic.com A 34.250.171.60 A 52.214.72.80	52.214.72.80
rendezvous1.giraffic.com	A 18.200.206.178	18.200.206.178
yahoo.com	A 74.6.231.21 A 74.6.231.20 A 74.6.143.26 A 74.6.143.25 A 98.137.11.163 A 98.137.11.164	74.6.231.21
mseed.giraffic.com	A 54.171.169.161 CNAME ec2-54-171-169-161.eu-west-1.compute.amazonaws.com	54.171.169.161
facebook.com	A 157.240.215.35	157.240.215.35
rendezvous3.giraffic.com	A 18.200.206.178	18.200.206.178
srv.giraffic.com
mlb.giraffic.com	CNAME mlb-127500491.eu-west-1.elb.amazonaws.com A 34.250.171.60 A 52.214.72.80	52.214.72.80
rendezvous7.giraffic.com	A 18.200.206.178	18.200.206.178
test.giraffic.com
google.com	A 172.217.161.142	172.217.31.174
chromodoris.s3.amazonaws.com	CNAME s3-3-w.amazonaws.com A 52.218.52.233	52.218.41.130
rendezvous9.giraffic.com	A 18.200.206.178	18.200.206.178
rendezvous5.giraffic.com	A 18.200.206.178	18.200.206.178

IP Address	Status	Action
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.142	Active	Moloch
172.217.25.14	Active	Moloch
175.208.134.150	Active	Moloch
18.200.206.178	Active	Moloch
34.250.171.60	Active	Moloch
34.255.131.204	Active	Moloch
52.218.52.233	Active	Moloch
54.171.169.161	Active	Moloch
62.113.216.169	Active	Moloch
74.6.231.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52053 -> 175.208.134.150:52053	2018904	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018904	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018907	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018905	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)	Generic Protocol Command Decode
UDP 18.200.206.178:3478 -> 192.168.56.102:52053	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
TCP 52.218.52.233:80 -> 192.168.56.102:49859	2013414	ET POLICY Executable served from Amazon S3	Potentially Bad Traffic
TCP 52.218.52.233:80 -> 192.168.56.102:49859	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49820 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49825 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49827 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49832 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49834 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49836 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49835 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49839 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49840 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49853 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49849 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49838 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49851 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49841 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49844 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49852 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49846 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49837 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49843 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49848 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49857 34.250.171.60:8443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49850 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49854 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49833 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49842 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49845 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49847 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49858 34.250.171.60:8443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49855 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49856 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49860 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49866 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49870 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49867 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49868 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49874 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49869 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49871 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2021, 9:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 5, 2021, 9:41 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 5, 2021, 9:39 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (45 events)

Time & API	Arguments	Status	Return
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a88c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a8dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062c1228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062c1228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062c1228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062c1228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2021, 9:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062c1228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 5, 2021, 9:39 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ June 5, 2021, 9:41 p.m.	stacktrace: RtlIntegerToUnicodeString+0x20b RtlpUnWaitCriticalSection-0x1c4 ntdll+0x38cb8 @ 0x773d8cb8 giraffictray+0x401f7 @ 0xbe01f7 exception.instruction_r: ff 40 14 8b 5d f4 8b 7d f0 80 3d 82 03 fe 7f 00 exception.symbol: RtlIntegerToUnicodeString+0x2fc RtlpUnWaitCriticalSection-0xd3 ntdll+0x38da9 exception.instruction: inc dword ptr [eax + 0x14] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 232873 exception.address: 0x773d8da9 registers.esp: 4322908 registers.edi: 41545384 registers.eax: 0 registers.ebp: 4322988 registers.edx: 4 registers.ebx: 4294967292 registers.esi: 41545380 registers.ecx: 0	1
__exception__ June 5, 2021, 9:41 p.m.	stacktrace: giraffictrayupdate+0x47fb8 @ 0x107fb8 giraffictrayupdate+0x381bd5 @ 0x441bd5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.instruction: btr dword ptr [eax], 0 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139970 exception.address: 0x773c22c2 registers.esp: 70385052 registers.edi: 4 registers.eax: 8 registers.ebp: 70385072 registers.edx: 1 registers.ebx: 0 registers.esi: 8 registers.ecx: 2917194646	1
__exception__ June 5, 2021, 9:41 p.m.	stacktrace: giraffictrayupdate+0x47fb8 @ 0x107fb8 giraffictrayupdate+0x381bd5 @ 0x441bd5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.instruction: btr dword ptr [eax], 0 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139970 exception.address: 0x773c22c2 registers.esp: 71432536 registers.edi: 4 registers.eax: 8 registers.ebp: 71432556 registers.edx: 1 registers.ebx: 0 registers.esi: 8 registers.ecx: 2911952714	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Init
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Init
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Installation_Complete
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Installation_Complete

Performs some HTTP requests (5 events)

request	GET http://chromodoris.s3.amazonaws.com/GirafficInstall1.0.0.25.exe
request	GET http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Init
request	GET http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Init
request	GET http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Installation_Complete
request	GET http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Installation_Complete

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	34.250.171.60
ip	175.208.134.150
ip	18.200.206.178
ip	34.255.131.204
ip	62.113.216.169

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 7400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74434000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05015000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05016000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05017000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05019000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2021, 9:39 p.m.	process_identifier: 8752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (20 events)

file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\tempfile.ps1
file	C:\Program Files (x86)\Giraffic\Giraffic.exe
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\SimpleFC.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\nsExec.dll
file	C:\Program Files (x86)\Giraffic\AgentInstall.exe
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\UserInfo.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\UserInfo.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\nsisdl.dll
file	C:\Program Files (x86)\Giraffic\GirafficTray.exe
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\Processes.dll
file	C:\Program Files (x86)\Giraffic\GirafficTrayUtil.exe
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\nsisdl.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\SimpleSC.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\Processes.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\System.dll
file	C:\Program Files (x86)\Giraffic\GirafficWatchdog.exe
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\SimpleFC.dll
file	C:\Program Files (x86)\Giraffic\GirafficUninstall.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 5, 2021, 9:39 p.m.	service_start_name: start_type: 2 password: display_name: Accumulus Backup filepath: C:\Program Files (x86)\Giraffic\GirafficWatchdog.exe --service service_name: Giraffic filepath_r: C:\Program Files (x86)\Giraffic\GirafficWatchdog.exe --service desired_access: 65556 service_handle: 0x008b2b88 error_control: 1 service_type: 16 service_manager_handle: 0x008b2ae8	1	9120648	0

Creates a shortcut to an executable file (1 event)

file	C:\Program Files (x86)\Giraffic\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\tempfile.ps1"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\GirafficTrayUpdate\GirafficTrayUpdate.exe
file	C:\Program Files (x86)\Giraffic\GirafficTray.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\SimpleSC.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\nsisdl.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\SimpleFC.dll
file	C:\Users\test22\AppData\Local\Temp\GirafficTrayUpdate\GirafficTrayUpdate.exe
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\Processes.dll
file	C:\Users\test22\AppData\Local\Temp\nsf29D5.tmp\UserInfo.dll
file	C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\nsExec.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: pw.exe process_identifier: 8276	1	1
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: taskhost.exe process_identifier: 2808	1	1
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: GirafficInstall1.0.0.17NoSign.exe process_identifier: 7132	1	1
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: GirafficWatchdog.exe process_identifier: 4384	1	1
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: GirafficTray.exe process_identifier: 7532	1	1
Process32NextW June 5, 2021, 9:39 p.m.	snapshot_handle: 0x00000264 process_name: ᠐ process_identifier: 41640800		0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 5, 2021, 9:39 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 5, 2021, 9:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 5, 2021, 9:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 5, 2021, 9:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 5, 2021, 9:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 5, 2021, 9:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA June 5, 2021, 9:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromodoris base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromodoris		2	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nsxFC9B.tmp\tempfile.ps1"

Communicates with host for which no DNS query was performed (4 events)

host	172.217.25.14
host	175.208.134.150
host	34.255.131.204
host	62.113.216.169

Installs itself for autorun at Windows startup (3 events)

service_name	Giraffic	service_path	C:\Program Files (x86)\Giraffic\GirafficWatchdog.exe --service
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Giraffic	reg_value	C:\Program Files (x86)\Giraffic\GirafficTray.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Giraffic	reg_value	C:\Program Files (x86)\Giraffic\GirafficTray.exe

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Generates some ICMP traffic

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Johnnie.314261
FireEye	Gen:Variant.Johnnie.314261
CAT-QuickHeal	Trojan.Agent
McAfee	Artemis!046657092920
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1811760
Sangfor	Trojan.Win32.Zpevdo.B
Alibaba	Trojan:Win32/MalwareX.1a35b846
Cybereason	malicious.92920b
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:Trojan.Win32.Agent.gen
BitDefender	Gen:Variant.Johnnie.314261
Paloalto	generic.ml
Sophos	Mal/Generic-S (PUA)
TrendMicro	TROJ_GEN.R011C0WCD21
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Emsisoft	Gen:Variant.Johnnie.314261 (B)
Avira	HEUR/AGEN.1142075
MAX	malware (ai score=88)
Microsoft	HackTool:Win32/AutoKMS!ml
AegisLab	Trojan.Win32.Agent.4!c
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Gen:Variant.Johnnie.314261
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Agent
ALYac	Gen:Variant.Johnnie.314261
TrendMicro-HouseCall	TROJ_GEN.R01FH0CC221
Yandex	Trojan.Slntscn24.bVVB1s
Fortinet	W32/Agent!tr
AVG	Win32:MalwareX-gen [Trj]

GirafficInstall1.0.0.17NoSign.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All