File name:

Cloner.exe

Full analysis: https://app.any.run/tasks/da42c652-693b-46b1-a278-e876781f12f1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 01, 2025, 16:19:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
trox
stealer
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

3FA30F563394542CA567662FA2D1218B

SHA1:

A787782FC0B6CC61E157C36200243904828CC402

SHA256:

BBD50057DEBA1E71A0F8902C014E8DCD3D79A96A4D6331B56314F3D164985F3C

SSDEEP:

98304:o3j3FiJHFCVH4IRGoEGoyetvbm5qrb/a1Ij86ec0bm9SqeOW+44nClteZN8dFXRJ:AovAKHPcxTwXaCubIl1VRCT/0dy5DAZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Cloner.exe (PID: 7444)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Cloner.exe (PID: 7444)

    • The process drops C-runtime libraries

      • Cloner.exe (PID: 7444)

    • Executable content was dropped or overwritten

      • Cloner.exe (PID: 7444)

    • Loads Python modules

      • Cloner.exe (PID: 7516)

    • Process drops legitimate windows executable

      • Cloner.exe (PID: 7444)

    • Starts CMD.EXE for commands execution

      • Cloner.exe (PID: 7516)

    • Reads security settings of Internet Explorer

      • Cloner.exe (PID: 7444)

  • INFO

    • The sample compiled with english language support

      • Cloner.exe (PID: 7444)

    • Checks supported languages

      • Cloner.exe (PID: 7444)
      • mode.com (PID: 7612)
      • Cloner.exe (PID: 7516)

    • Create files in a temporary directory

      • Cloner.exe (PID: 7444)

    • Reads the machine GUID from the registry

      • Cloner.exe (PID: 7516)

    • Manual execution by a user

      • notepad.exe (PID: 7228)
      • notepad.exe (PID: 7936)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7228)
      • notepad.exe (PID: 7936)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7612)

    • Reads the computer name

      • Cloner.exe (PID: 7444)
      • Cloner.exe (PID: 7516)

    • Reads the software policy settings

      • slui.exe (PID: 2340)

    • Checks proxy server information

      • slui.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:10 18:21:21+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 113152
InitializedDataSize: 11826176
UninitializedDataSize: 155136
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
10
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #TROX cloner.exe conhost.exe no specs cloner.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs notepad.exe no specs slui.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2340C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7228"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\BlankPage.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7444"C:\Users\admin\Desktop\Cloner.exe" C:\Users\admin\Desktop\Cloner.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\cloner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7516C:\Users\admin\Desktop\Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\Cloner.exe
Cloner.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\onefile_7444_133879979536128157\cloner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7548C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7568C:\WINDOWS\system32\cmd.exe /c title ^| Eternal IMP ^| Discord.gg/input ^| Discord Server Cloner ^| Version 2.0 ^|C:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7588C:\WINDOWS\system32\cmd.exe /c mode con: cols=80 lines=20C:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7612mode con: cols=80 lines=20C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7936"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\BlankPage.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
4 402
Read events
4 402
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_bz2.pydexecutable
MD5:B45E82A398713163216984F2FEBA88F6
SHA256:4C2649DC69A8874B91646723AACB84C565EFEAA4277C46392055BCA9A10497A8
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_ctypes.pydexecutable
MD5:79F339753DC8954B8EB45FE70910937E
SHA256:35CDD122679041EBEF264DE5626B7805F3F66C8AE6CC451B8BC520BE647FA007
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_overlapped.pydexecutable
MD5:5BFE7D9E1877FDDE718BB84B67D8BE68
SHA256:FE5666C1C8215CD2773744C815FB4A3B2F52F64CF0DDE25D458441DA22BF5568
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_lzma.pydexecutable
MD5:5A77A1E70E054431236ADB9E46F40582
SHA256:F125A885C10E1BE4B12D988D6C19128890E7ADD75BAA935FE1354721AA2DEA3E
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\libcrypto-1_1.dllexecutable
MD5:63C4F445B6998E63A1414F5765C18217
SHA256:664C3E52F914E351BB8A66CE2465EE0D40ACAB1D2A6B3167AE6ACF6F1D1724D2
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_multiprocessing.pydexecutable
MD5:FCE357F864A558C03ED17755F87D0E30
SHA256:000486AAAC9DD21E88B3DC65FD854DD83519B1FBCC224A70530BC3EC8CBD1A5D
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_socket.pydexecutable
MD5:5DD51579FA9B6A06336854889562BEC0
SHA256:3669E56E99AE3A944FBE7845F0BE05AEA96A603717E883D56A27DC356F8C2F2C
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\libssl-1_1.dllexecutable
MD5:BD857F444EBBF147A8FCD1215EFE79FC
SHA256:B7C0E42C1A60A2A062B899C8D4EBD0C50EF956177BA21785CE07C517C143AEAF
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\python310.dllexecutable
MD5:384349987B60775D6FC3A6D202C3E1BD
SHA256:F281C2E252ED59DD96726DBB2DE529A2B07B818E9CC3799D1FFA9883E3028ED8
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\Cloner.exeexecutable
MD5:49B2C131F07C662D6827DB9913B68382
SHA256:87205709D3405E58D550688411A9F83995EB3C408EAD371AE2E16813D34E8D8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.64
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.140
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.158
  • 23.48.23.166
  • 23.48.23.159
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.194
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cloner.exe