Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Jokers_Cleaner_V2.rar

windows7-x64

3

Jokers_Cleaner_V2.rar

windows10-2004-x64

7

Jokers_Cleaner_V2.exe

windows7-x64

7

Jokers_Cleaner_V2.exe

windows10-2004-x64

7

creal.pyc

windows7-x64

3

creal.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2024, 03:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    creal.pyc

  • Size

    32KB

  • MD5

    2ffd8e4ea301496367a7251927e17347

  • SHA1

    5ae74e8d31f1bad407c510a950ecee712c46fbef

  • SHA256

    9a34df241a4cad17587489c4cbfc8dfb69b21f830600f6e4b9ca0dd8c8ac54d4

  • SHA512

    14794d74d1fbdeca3f32d30bd0622f1592cc697202f8d3463752d7eee0c37024ab88a344a682a17cf877cc2803c654142958bb2a771005a6e96972f895124def

  • SSDEEP

    768:L8Dnroh2VsfNEiyAuAfKFMrRtfqtvEwS7bnjerAroaHDsIAvN8YC06X:Ijrae3aKFcfDwS7fOPviYD6X

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc
    1⤵
    • Modifies registry class
    PID:2208
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\creal.pyc"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2122B817BE3FD6BD93ED300968068158 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
            PID:1544
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EFF5882785849CD9E52250CAB28CD060 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EFF5882785849CD9E52250CAB28CD060 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
            4⤵
              PID:5088
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0001D3B77C7F411C82A6F73E9179431E --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:3820
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D733F113097F4A15E6C9FCABBC2888E1 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                4⤵
                  PID:1084
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=28D52C672663371F0A8ADE979AE26E95 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:3300
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:1844

              Network

              • flag-us
                DNS
                76.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                76.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                241.154.82.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                241.154.82.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                180.178.17.96.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                180.178.17.96.in-addr.arpa
                IN PTR
                Response
                180.178.17.96.in-addr.arpa
                IN PTR
                a96-17-178-180deploystaticakamaitechnologiescom
              • flag-us
                DNS
                41.110.16.96.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                41.110.16.96.in-addr.arpa
                IN PTR
                Response
                41.110.16.96.in-addr.arpa
                IN PTR
                a96-16-110-41deploystaticakamaitechnologiescom
              • flag-us
                DNS
                81.171.91.138.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                81.171.91.138.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.165.165.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.165.165.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                206.23.85.13.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                206.23.85.13.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                18.134.221.88.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                18.134.221.88.in-addr.arpa
                IN PTR
                Response
                18.134.221.88.in-addr.arpa
                IN PTR
                a88-221-134-18deploystaticakamaitechnologiescom
              • flag-us
                DNS
                203.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                203.197.79.204.in-addr.arpa
                IN PTR
                Response
                203.197.79.204.in-addr.arpa
                IN PTR
                a-0003a-msedgenet
              • flag-us
                DNS
                194.178.17.96.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                194.178.17.96.in-addr.arpa
                IN PTR
                Response
                194.178.17.96.in-addr.arpa
                IN PTR
                a96-17-178-194deploystaticakamaitechnologiescom
              • flag-us
                DNS
                173.178.17.96.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                173.178.17.96.in-addr.arpa
                IN PTR
                Response
                173.178.17.96.in-addr.arpa
                IN PTR
                a96-17-178-173deploystaticakamaitechnologiescom
              No results found
              • 8.8.8.8:53
                76.32.126.40.in-addr.arpa
                dns
                71 B
                 157 B
                 1
                1

                DNS Request

                76.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                241.154.82.20.in-addr.arpa
                dns
                72 B
                 158 B
                 1
                1

                DNS Request

                241.154.82.20.in-addr.arpa

              • 8.8.8.8:53
                180.178.17.96.in-addr.arpa
                dns
                72 B
                 137 B
                 1
                1

                DNS Request

                180.178.17.96.in-addr.arpa

              • 8.8.8.8:53
                41.110.16.96.in-addr.arpa
                dns
                71 B
                 135 B
                 1
                1

                DNS Request

                41.110.16.96.in-addr.arpa

              • 8.8.8.8:53
                81.171.91.138.in-addr.arpa
                dns
                72 B
                 146 B
                 1
                1

                DNS Request

                81.171.91.138.in-addr.arpa

              • 8.8.8.8:53
                26.165.165.52.in-addr.arpa
                dns
                72 B
                 146 B
                 1
                1

                DNS Request

                26.165.165.52.in-addr.arpa

              • 8.8.8.8:53
                206.23.85.13.in-addr.arpa
                dns
                71 B
                 145 B
                 1
                1

                DNS Request

                206.23.85.13.in-addr.arpa

              • 8.8.8.8:53
                18.134.221.88.in-addr.arpa
                dns
                72 B
                 137 B
                 1
                1

                DNS Request

                18.134.221.88.in-addr.arpa

              • 8.8.8.8:53
                203.197.79.204.in-addr.arpa
                dns
                73 B
                 106 B
                 1
                1

                DNS Request

                203.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                194.178.17.96.in-addr.arpa
                dns
                72 B
                 137 B
                 1
                1

                DNS Request

                194.178.17.96.in-addr.arpa

              • 8.8.8.8:53
                173.178.17.96.in-addr.arpa
                dns
                72 B
                 137 B
                 1
                1

                DNS Request

                173.178.17.96.in-addr.arpa

              • 8.8.8.8:53

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.