URL:

https://github.com/Creallo69/Creal-Stealer-Fix-/blob/main/Creal-Stealer-main.rar

Full analysis: https://app.any.run/tasks/8176f6ee-034c-48a7-926a-c5c20dd67092
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 26, 2025, 12:55:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
arch-exec
python
evasion
discord
stealer
arch-doc
pyinstaller
Indicators:
MD5:

A9A4FFC168A20BC7947BC6D73601C0E0

SHA1:

D40E4F33F9FBAF0F0132794196304A9560FFD0FA

SHA256:

52A838EE2013C359C54F3BC4EF768F8A3F09EEA81E4DC945D84AF9B042129CB5

SSDEEP:

3:N8tEdVgEQKgzlHciER+hlMLX+:2uT7gz9cis+hD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • python module.exe (PID: 536)

    • Steals credentials from Web Browsers

      • python module.exe (PID: 536)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7296)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 732)
      • WinRAR.exe (PID: 7572)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 732)
      • python module.exe (PID: 536)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 732)
      • python module.exe (PID: 536)

    • Executable content was dropped or overwritten

      • python module.exe (PID: 7892)
      • python module.exe (PID: 536)

    • Process drops python dynamic module

      • python module.exe (PID: 7892)

    • The process drops C-runtime libraries

      • python module.exe (PID: 7892)

    • Process drops legitimate windows executable

      • python module.exe (PID: 7892)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 6256)
      • cmd.exe (PID: 6820)

    • Loads Python modules

      • python module.exe (PID: 536)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 6072)
      • WMIC.exe (PID: 3796)
      • WMIC.exe (PID: 7820)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • python module.exe (PID: 536)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5544)
      • cmd.exe (PID: 5436)

    • Application launched itself

      • python module.exe (PID: 7892)
      • WinRAR.exe (PID: 732)
      • WinRAR.exe (PID: 7572)

    • There is functionality for taking screenshot (YARA)

      • python module.exe (PID: 7892)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5212)
      • cmd.exe (PID: 2192)
      • cmd.exe (PID: 812)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 1616)
      • firefox.exe (PID: 3300)

    • Manual execution by a user

      • WinRAR.exe (PID: 732)
      • WinRAR.exe (PID: 7572)

    • Reads the software policy settings

      • slui.exe (PID: 1180)
      • slui.exe (PID: 3140)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1616)
      • WinRAR.exe (PID: 732)

    • Create files in a temporary directory

      • python module.exe (PID: 7892)
      • python module.exe (PID: 536)

    • Checks proxy server information

      • slui.exe (PID: 3140)
      • python module.exe (PID: 536)

    • Checks supported languages

      • python module.exe (PID: 7892)
      • python module.exe (PID: 536)

    • Reads the computer name

      • python module.exe (PID: 7892)
      • python module.exe (PID: 536)

    • The sample compiled with english language support

      • python module.exe (PID: 7892)

    • Checks operating system version

      • python module.exe (PID: 536)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 6072)
      • WMIC.exe (PID: 3796)
      • WMIC.exe (PID: 7820)

    • Creates files or folders in the user directory

      • python module.exe (PID: 536)

    • Reads the machine GUID from the registry

      • python module.exe (PID: 536)

    • PyInstaller has been detected (YARA)

      • python module.exe (PID: 7892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
59
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs python module.exe python module.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs winrar.exe no specs rundll32.exe no specs winrar.exe no specs winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Users\admin\AppData\Local\Temp\Rar$EXa732.49832\Creal-Stealer-main\python module\python module.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa732.49832\Creal-Stealer-main\python module\python module.exe
python module.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa732.49832\creal-stealer-main\python module\python module.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
732"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Creal-Stealer-main.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
812C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exepython module.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1180"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1616"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Creallo69/Creal-Stealer-Fix-/blob/main/Creal-Stealer-main.rarC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2152"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa7572.11264\vault.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2192C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exepython module.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
27 867
Read events
27 815
Write events
51
Delete events
1

Modification events

(PID) Process:(1616) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Creal-Stealer-main.rar
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6752) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:empyrean
Value:
Executable files
130
Suspicious files
195
Text files
86
Unknown types
2

Dropped files

PID
Process
Filename
Type
1616firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1616firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:B7EBA6877022B5859DB4DD04C9B8939B
SHA256:D1D827BDEBA8D35EF70CDA8FDD6E591C436079C3577366E4E40729B08DC9B743
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
95
DNS requests
129
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1616
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
US
text
90 b
whitelisted
1616
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
US
text
8 b
whitelisted
1616
firefox.exe
POST
200
2.16.206.136:80
http://r10.o.lencr.org/
DE
binary
504 b
whitelisted
1616
firefox.exe
POST
200
2.16.206.136:80
http://r10.o.lencr.org/
DE
binary
504 b
whitelisted
1616
firefox.exe
POST
200
172.64.149.23:80
http://ocsp.sectigo.com/
US
binary
282 b
whitelisted
1616
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/we2
US
binary
278 b
whitelisted
1616
firefox.exe
POST
200
2.16.206.143:80
http://r11.o.lencr.org/
DE
binary
504 b
whitelisted
1616
firefox.exe
POST
200
2.16.206.136:80
http://r10.o.lencr.org/
DE
binary
504 b
whitelisted
1616
firefox.exe
POST
200
172.64.149.23:80
http://ocsp.sectigo.com/
US
binary
471 b
whitelisted
1616
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/s/wr3/UTA
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1616
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
1616
firefox.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
1616
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1616
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
1616
firefox.exe
2.16.206.136:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
1616
firefox.exe
172.64.149.23:80
ocsp.sectigo.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
github.com
  • 140.82.121.3
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
example.org
  • 96.7.128.186
  • 23.215.0.132
  • 96.7.128.192
  • 23.215.0.133
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted
prod.ads.prod.webservices.mozgcp.net
  • 34.117.188.166
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
536
python module.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
536
python module.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
536
python module.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
536
python module.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/Creallo69/Creal-Stealer-Fix-/blob/main/Creal-Stealer-main.rar