crealstealer | hxxps://www[.]upload[.]ee/files/15396942/Creal-Stealer-main[.]rar[.]html

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/15396942/Creal-Stealer-main.rar.html

Score

10^/10

crealstealer discovery execution stealer

Malware Config

Signatures

An infostealer written in Python and packaged with PyInstaller. 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234ce-236.dat	crealstealer

crealstealer
An infostealer written in Python and packaged with PyInstaller.
stealer crealstealer

Blocklisted process makes network request 1 IoCs

flow	pid	Process
145	4492	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4492	powershell.exe

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3160	msedge.exe
3160	msedge.exe
4864	identity_helper.exe
4864	identity_helper.exe
3908	msedge.exe
3908	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4736	msedge.exe
4736	msedge.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4172	7zG.exe
Token: 35	4172	7zG.exe
Token: SeSecurityPrivilege	4172	7zG.exe
Token: SeSecurityPrivilege	4172	7zG.exe
Token: SeRestorePrivilege	3556	7zG.exe
Token: 35	3556	7zG.exe
Token: SeSecurityPrivilege	3556	7zG.exe
Token: SeSecurityPrivilege	3556	7zG.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
4172	7zG.exe
3556	7zG.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4192	OpenWith.exe
4144	OpenWith.exe
4536	OpenWith.exe
4144	OpenWith.exe
4144	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4252	3160	msedge.exe	83
PID 3160 wrote to memory of 4252	3160	msedge.exe	83
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 892	3160	msedge.exe	85
PID 3160 wrote to memory of 3416	3160	msedge.exe	86
PID 3160 wrote to memory of 3416	3160	msedge.exe	86
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87
PID 3160 wrote to memory of 3684	3160	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/15396942/Creal-Stealer-main.rar.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bcd146f8,0x7ff8bcd14708,0x7ff8bcd14718
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2336 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,17343365894249166418,9688099904532680043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31869:98:7zEvent7714
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7920:98:7zEvent16734
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Creal-Stealer-main\install.bat" "
1⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Creal-Stealer-main\install_python.bat" "
1⤵
PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Windows\system32\curl.exe
  curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
  2⤵
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8face210-0b63-40e3-ad6f-ce0c5c97f26a.tmp

Filesize
8KB

MD5
579734bc09c72ba9793ee59a458893d4

SHA1
30573128e3e9ccdbfd6aabe670e715ec626ce97d

SHA256
5238549d8a0135a9233b33f1a2bb94cdb70e6275db8f9c7963982061eb68fd21

SHA512
e0187a9e082faa3446862673160487ee1341d45cd3c7c6b60839876ff56e62fe3375b2a7046e1704073e0e6b2d481b73eb70ddb7b8db101f3d84f4a1faef5cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
3c30f209a416fee9a8964df7ed983099

SHA1
4033f760cdebc8a6dcb5b4cb52c7234fedca6c98

SHA256
63f73de79ca22c10b323ffe87e46aa8d3badb84a8483a62d84f978e1ef3a84cd

SHA512
aeb53485323b0e11e65d6a88dc0f0e9e5f88087599172760b535e87b0cd4bac51c5fc75e4c41348821669a88b6bd375e80099b092192b223ef0c395eef11db31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
aefde1819e24cb80c8cae60973adaa5d

SHA1
bdd6e78a3665bf28db94fe2541d2f2085b58594d

SHA256
74b3d56c52f23e5aeb45e25cd3744f330c609e29569d422e2c19769654ee0c9a

SHA512
ccd5aea27cacdba5de526de4e734c6bf46375e6d39002f639e251808acc862db89101725e290e993f7b04b5c58494aa40191c2d8c4dd95903829b026c58103ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d34dd21b7f32d03107ea46b819893f95

SHA1
07d3e22be031bc1363fa65d6a0b452c7b5bcadd7

SHA256
ab7225a32489adfca6fb382237c6448d941a67ab10985d40c90bee356f778c79

SHA512
7660c1d615ea2a22231a47092a041a94c417a95ff9f212de8b3cc8af51c5bfe25573ec3d07658d80f179736cd6f27d61d5150d6d1efdf29322ce9bcf3e461814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a53533d57f15e1e8f931febb9da9b38e

SHA1
cba00a6cfd1fe3b166f2adeed24109203b76d57f

SHA256
c5240a327526fdb89e777bcefb0feda0ae520f3a7e6708daed3849969278417e

SHA512
b732c67ad666d3555e3637e250bad3a7ee5b61eb74ffd0a1b857348885be6c56d10f08cff0d090e5894e8ae3b59db775d9ac48afa2b9f66678f737862da3eaba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80fe8d0223241c687edc91dd54f382d1

SHA1
59810e93d41c55f21af006fbe093ab8e806279a1

SHA256
4c390f3749fc17aca23344474c81f98f09bbf638383e9c7c70b904a439a35a69

SHA512
6c1377705a3baff1c51992b8ee9b839b292bb7866c14e6d621c7497405d85308df05f363f6e6f6ab60f7d97d608b2c30c4478b34d595ef7b5d54e7f787ee7486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f73fcb9a8d50a6d7b74f03466ae14908

SHA1
1ae77d1ce08488d4ea51195057d643777847d209

SHA256
64e1531d4af07143f781fc2efdce67e73befc37bb296ea6280e2b6e88ca9f1ca

SHA512
ffd1b0f9386800090c41837a5daa00d9d54d5058dc3380f55a1f1e044bcd3dfc6e994a49be6ebd625828d7126c815ca85bf1c25d08706544879566753c3901c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584bc9.TMP

Filesize
1KB

MD5
48298d3d48ae566df7bb2485f38e470c

SHA1
a241f006526fca1b46661f450306a588bd2ed747

SHA256
b406d9e5bcac917d480bec9a9556da76340b7bc53f77d4586222a3f32ff75899

SHA512
6820ace83998d5752530f0e88013234066413037c379ba8ba7bad5844c2a25a95694d072542066589f2b9f7951d3c893ae103c48ce46e8d82cd2e26d62627d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f548a60021215880f4e49f7c0663188

SHA1
cc19704f52dbf09ba584b521390c0d87c780e2e4

SHA256
860effbb57235656c6f972901818bcdaf7a5a910f79675a3a85f18a1fef00dbb

SHA512
593ece4e9d835d1dfecc5d5a5f5681dbf837dd8c5f8b4561e6d3d6624eabba37d716d5be6ba13bea1e7d17259c6f47a0071e6133576b022d0fa203f95128634a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
04c6293ff5cda22390be697e1ae16836

SHA1
5c722ac651b83a228e1ee84eceb4a512e61f2a42

SHA256
34d7c4bf223d9c445dc6fd24d0d56fb2788639ecf3cc5699586c08c3994fa516

SHA512
54c684627c6f7145299c2ebb8118349b76f2f3481114f70dd92f8247ee385ad0702c97bae8c4410890c311cd2218431050f37807e0f3bd0ec51fae4269f19f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2e66da2650691a38c27949adc92c799b

SHA1
353c99fbc23855098968af661386977310a9fc79

SHA256
e0942db1014dc63621280ab378899cca9c6b4e4af27ef14abc00ef1f162a5418

SHA512
7a4f492a02e9698dbe44d193519367dd848e45c6705d578974a329d76ffcf639f5a60d68340c60dd945c96c3d59dec6352d6dbd0aa34f9ec26c3080e71f3c3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdbpdj4o.5ut.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main.rar

Filesize
419KB

MD5
252b974aa5f586aa6ced2f0e7281a184

SHA1
24ed4304fea8b583a7d616da6484515acada6f0f

SHA256
c89c63322135bc5891565169dd135123f02837634bd3ae5e834078d6a68bde91

SHA512
cca79935c2e58db0f65b1529371168bd27a84dbe7ffdfc207fa8ecd48b89f39b9cc4122d356e397ff60d9379e2c34eb70a03127d2a29539962eb50ea4956c448

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\Creal.py

Filesize
41KB

MD5
71fe5098483fe0b04bfca8e3ef794701

SHA1
62fd7843594848d3894ca482f05f3a9c90d921d8

SHA256
93e26faa29a812b120bd577f80c5683e690913a4b1e21c3c7dd80e79b463c0be

SHA512
3cfdb0ef9c19d373be655adaae3e2aee034a017a0d08bca5187967414c0bd798a3dafb577952968021d6e1fb4d2d7c8c751d883c91e58d490271ac0c5020fbb8

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\IfYouInfected.txt

Filesize
1KB

MD5
7ef841b953ec1e01835e9b460d6cf214

SHA1
63c893277266becb6cea8f91e66009574cde64cc

SHA256
418467de9f5fea315e835adfd27d03de791ebc30d057ecc33e41b74e23b668ef

SHA512
fb4ba2a54888db796b5ca5246fd010631f0f2098e7a262b41afe4b3fcc5a74cadb55d009676eb4b83da11b48c7f98c539e9e5714174269bbbe67e3f08ce4b438

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\README.txt

Filesize
1KB

MD5
e69d91027831619e906b16437461af6e

SHA1
789bec007466b31a873da3a96a540899ccf1d614

SHA256
9990d56aace3ffcfc235caeeccf17a5cb8f2b4d2077dcf4551226c57f30d5f21

SHA512
e9063442019397de3226bafe52c222a92808b49d3f4dd01c2106a3ae1c8d4684c7371bab1a30ab8bb760b94dae9653f7cf6d4a21e0e7c0825781901e97a05c62

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\TUTORIAL.txt

Filesize
1KB

MD5
5399c5c23a145c0e9ec23b80b29da59c

SHA1
9949c7f79ac38f80a06562b24c207bfbc8cea618

SHA256
3094e709c0375148fb8bc83f4c99a6e4516b0cfb9f480eca0cb0cd3bac825388

SHA512
0656a3249ce69468c4a7f2b01ce274b485b3a44055045497c19d8c46eb53dc68f89fbb56dd0f19dec6a2296f742989941f7fc3bbf324e022729f146e117d32aa

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\builder.bat

Filesize
56B

MD5
001b0fde2e65ae4f8fa280ccdb746c93

SHA1
6f3ad8b217f090c0a37ae21ee6f0065e58635771

SHA256
06c326475f195707960159fd70e759bbba1f8b638fb4f749bad68fbb0b728aa2

SHA512
de065f3c04647f572bc8436c5aacd400956954bec23dcad8db2ddfe2689c37bb2ba0221e84ce11e826c9f9efc43d1782ccd28e76c9c25fba3e277f1b694c781a

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\builder.py

Filesize
4KB

MD5
65f5539907f6f6e9b8bc1fb33f9331eb

SHA1
9862051e272e0db4b98bd5e7849c7d6f8176b04b

SHA256
9bd62229d078a3869643ed8f843779d6b17550762b6b05be78c5d6539c9d9e17

SHA512
eef67b0ccf6198f7f57fc78be48aa99eb9b718dfa97dc9370a8532af2ca08f640476ade4721becbf6e22c75d517eacb45f06b851ecf5667633dcca2b8b949784

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\CrealNew1.jpg

Filesize
136KB

MD5
20f81c74b092e8727e1eaee9c54734bb

SHA1
0d8518938cde6c43113fd1297da1408a013bf51c

SHA256
797223a3f4e354f907338c5f915d904b9eee9c4fd190b4a4524b71cfd22dce35

SHA512
b976617b38de0aba4cee7ad81666c5c7abe7540d28ef9f7762683be6a290f57e3189a6a9435ce5957636c2c5e6c76a168dd6fce0da85298ecb976cb6d54694ee

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\CrealNew2.png

Filesize
55KB

MD5
3b85ef298f92a1dfd0b145ba1c29d08c

SHA1
beafa7e1bde0f9d6bc17f9bce0727dfbf31e2fbd

SHA256
7c029c8fdecc3ea4276a806d09f8f79d5a36aaa2883501b0b2c34482afcd3daa

SHA512
9ae5330377f56a5f69f74ea38717a6f38449e0b1db06fa4d2b16a040aa3bc03e591efb3290dbddb4939be9ba8b94126ad252d136756ae995b55341569d925f8f

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\CrealNew3.png

Filesize
124KB

MD5
367499813472e76ad182e55eacab9ee6

SHA1
c6cd7dd01990af6690c91bd252707ec0d5ec34b7

SHA256
57c68b1185683c0015456140673052c5ec66de7fb9908f4c59d361504382d316

SHA512
10b6e7c3011c18b5f028d50126fcb1ac3139d6ff9b79333d0cba18b017a51f9e87e313e484c8a3ee510b64603eb5cb19a6d42d972af8fd2e178c527879b08c03

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\builderr.png

Filesize
37KB

MD5
f6e2610503c8f002a5c355ed83b141bf

SHA1
bfdd1ba813237dc21a728be7fa9998bec0e4bbf7

SHA256
5e39f3cd328a432b7061f2a88af4d4d9b56fc52035040c6d72a7063ccc557344

SHA512
5131d14960f0fc3534e8f3b62f8c00e9b4a4351a9c7fd92719c02beffc400d1f94d1194bb2845a1b0c03ba5d7f103a3b614d4dbe696d7729d82fbc4accf672b4

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\pyy.png

Filesize
50KB

MD5
37d6b1070131d25bbe407fdfb6a1d34f

SHA1
9ac28110663e5bb518cda9e7d6dffc5945e702fb

SHA256
bdea023b9432b8ed279d05262cde407523ea85183538ec97b670b3a0217b4a70

SHA512
636ca87722c18c2cb85f1f7f4bd7e8c434d159cfb044e9d50dda2404cd350eadc361d50e0cb295507e2325dfe38eacad4e594e81a8f8964ffac28292ad7e97db

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\img\xd.jpg

Filesize
44KB

MD5
d8b7adbe864a5dfa9d0f9b9a54df1fa5

SHA1
3d583090faf9e28f127d30333cd2eba7ae076de9

SHA256
40cd9f31c18eb65248038220d8c6983de03702ec2f7bb5e38ccb248ff02b926d

SHA512
610f8f8946d417c6d7b64d05be56055277b54f3ed29b472d0f2cc9f08d6c1c42f8af40420ac328f0cee9fc5dccbc43e9b6ba6540c4f4530661e0bb613852375e

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\install.bat

Filesize
161B

MD5
6e850049ee08bf9ed50bfdee6e6934c5

SHA1
4fcf058207a8c7acbbb08a8c752dc803c66c6963

SHA256
65df947f76e4c904718c25a0a318ca6f35bdd2328c818ee3b09d75f0f43fa710

SHA512
3cd1a3098791670756f8151a952b12183e8d74aac28809afb3433565b40dc2d583648d479ab064345c9409f7cb534504ec471cfdfd884a1d420341c975d55609

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\install_python.bat

Filesize
687B

MD5
821f007d1c56bb3f4511bab928ce8f63

SHA1
a22b0d76f5ef0e145629dded82e195486675774a

SHA256
434f9d4a2a7a5088aa393b47ad8e957a15481cd3078f10b3c0f7ec6fe5f497c2

SHA512
f1db8db20e25d8d06828ead22e70a28411bf32faa7dd14816ef833efe548a046e9383cb51aa100d49555f2cc9c1f74bf10aef871a0e6724da5f96c690770dd4d

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\junk.py

Filesize
5KB

MD5
e796fd742bb555174ee83f3ce4118d0c

SHA1
9b3b86b4614ee9e64cd836aa77f1fc43102df026

SHA256
3c9881a0bf734894ca5603e5f5c63e84111b9f3415fb27c69d80cb3f54be6ec5

SHA512
3106f4593989a13673bebf847d958a3359f930e36bfda7cd1e0c91d94e2e0d461d5e0250c27f3475e0ffd58c5ad8e6338315e91e985c31390fd8839e20ef0943

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\requirements.txt

Filesize
36B

MD5
7e5191e5e4b8c61bfbb9b146caaec728

SHA1
4438b018fe9a3c88d83115814a67b39b9c189a47

SHA256
796d58c7e0920f6705ece5e4cefc3cdd76b00849eebce71a5c6a057421dd6b47

SHA512
7a800a6252c404bec07f14f756d8e7b2758bb7f9cb142030e2eb05aac84f9c6b734e3244bde2681dad6ded701b5868003b0c0503f21ed43b32f01791f130caf1

Download Submit
C:\Users\Admin\Downloads\Creal-Stealer-main\results\tokens.txt.lnk

Filesize
2KB

MD5
35afe7241fdda7d5ce66e9354c667b38

SHA1
ef32de9685eaa1f7137b0e74490d46740cf5e292

SHA256
0cc18895123f2fe93490ecba6c2ba52969e9fa48004983e224f458f4e14ecd5d

SHA512
ecd569574bd5d48f570834a0003e81aea4b4b867ea656a22f404ce79997f396ec3fccfe4c6850448fe6784fb148cf0610fee7a8d3de17b62733c39479096d268

Download Submit
memory/4492-304-0x00000217BDF00000-0x00000217BDF22000-memory.dmp

Filesize
136KB

Download