File name:

Cloner.exe

Full analysis: https://app.any.run/tasks/da42c652-693b-46b1-a278-e876781f12f1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 01, 2025, 16:19:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
trox
stealer
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

3FA30F563394542CA567662FA2D1218B

SHA1:

A787782FC0B6CC61E157C36200243904828CC402

SHA256:

BBD50057DEBA1E71A0F8902C014E8DCD3D79A96A4D6331B56314F3D164985F3C

SSDEEP:

98304:o3j3FiJHFCVH4IRGoEGoyetvbm5qrb/a1Ij86ec0bm9SqeOW+44nClteZN8dFXRJ:AovAKHPcxTwXaCubIl1VRCT/0dy5DAZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Cloner.exe (PID: 7444)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Cloner.exe (PID: 7444)

    • Process drops python dynamic module

      • Cloner.exe (PID: 7444)

    • Process drops legitimate windows executable

      • Cloner.exe (PID: 7444)

    • The process drops C-runtime libraries

      • Cloner.exe (PID: 7444)

    • Loads Python modules

      • Cloner.exe (PID: 7516)

    • Starts CMD.EXE for commands execution

      • Cloner.exe (PID: 7516)

    • Reads security settings of Internet Explorer

      • Cloner.exe (PID: 7444)

  • INFO

    • Create files in a temporary directory

      • Cloner.exe (PID: 7444)

    • Checks supported languages

      • Cloner.exe (PID: 7516)
      • mode.com (PID: 7612)
      • Cloner.exe (PID: 7444)

    • Reads the machine GUID from the registry

      • Cloner.exe (PID: 7516)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7612)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7228)
      • notepad.exe (PID: 7936)

    • Manual execution by a user

      • notepad.exe (PID: 7936)
      • notepad.exe (PID: 7228)

    • Reads the computer name

      • Cloner.exe (PID: 7444)
      • Cloner.exe (PID: 7516)

    • Reads the software policy settings

      • slui.exe (PID: 2340)

    • Checks proxy server information

      • slui.exe (PID: 2340)

    • The sample compiled with english language support

      • Cloner.exe (PID: 7444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:10 18:21:21+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 113152
InitializedDataSize: 11826176
UninitializedDataSize: 155136
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
10
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #TROX cloner.exe conhost.exe no specs cloner.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs notepad.exe no specs slui.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2340C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7228"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\BlankPage.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7444"C:\Users\admin\Desktop\Cloner.exe" C:\Users\admin\Desktop\Cloner.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\cloner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7516C:\Users\admin\Desktop\Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\Cloner.exe
Cloner.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\onefile_7444_133879979536128157\cloner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7548C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7568C:\WINDOWS\system32\cmd.exe /c title ^| Eternal IMP ^| Discord.gg/input ^| Discord Server Cloner ^| Version 2.0 ^|C:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7588C:\WINDOWS\system32\cmd.exe /c mode con: cols=80 lines=20C:\Windows\System32\cmd.exeCloner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7612mode con: cols=80 lines=20C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7936"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\BlankPage.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
4 402
Read events
4 402
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_ssl.pydexecutable
MD5:11C5008E0BA2CAA8ADF7452F0AAAFD1E
SHA256:BF63F44951F14C9D0C890415D013276498D6D59E53811BBE2FA16825710BEA14
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_socket.pydexecutable
MD5:5DD51579FA9B6A06336854889562BEC0
SHA256:3669E56E99AE3A944FBE7845F0BE05AEA96A603717E883D56A27DC356F8C2F2C
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_uuid.pydexecutable
MD5:AEEAD50876DDB63CB8E882989041D7DA
SHA256:C74AAEEC487457139B47C0AB56E01922BFAE6DEBEF562800E5B9B6BAF1EC9D6A
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_queue.pydexecutable
MD5:C9EE37E9F3BFFD296ADE10A27C7E5B50
SHA256:9ECEC72C5FE3C83C122043CAD8CEB80D239D99D03B8EA665490BBCED183CE42A
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\_overlapped.pydexecutable
MD5:5BFE7D9E1877FDDE718BB84B67D8BE68
SHA256:FE5666C1C8215CD2773744C815FB4A3B2F52F64CF0DDE25D458441DA22BF5568
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\libcrypto-1_1.dllexecutable
MD5:63C4F445B6998E63A1414F5765C18217
SHA256:664C3E52F914E351BB8A66CE2465EE0D40ACAB1D2A6B3167AE6ACF6F1D1724D2
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\pyexpat.pydexecutable
MD5:983D8E003E772E9C078FAAD820D14436
SHA256:E2146BED9720EB94388532551444F434D3195310FA7BD117253E7DF81A8E187E
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\select.pydexecutable
MD5:78D421A4E6B06B5561C45B9A5C6F86B1
SHA256:F1694CE82DA997FAA89A9D22D469BFC94ABB0F2063A69EC9B953BC085C2CB823
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\libssl-1_1.dllexecutable
MD5:BD857F444EBBF147A8FCD1215EFE79FC
SHA256:B7C0E42C1A60A2A062B899C8D4EBD0C50EF956177BA21785CE07C517C143AEAF
7444Cloner.exeC:\Users\admin\AppData\Local\Temp\onefile_7444_133879979536128157\libffi-7.dllexecutable
MD5:EEF7981412BE8EA459064D3090F4B3AA
SHA256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.64
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.140
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.158
  • 23.48.23.166
  • 23.48.23.159
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.194
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7516
Cloner.exe
Misc activity
ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Cloner.exe