File name:

Cleush.exe

Full analysis: https://app.any.run/tasks/ccc45464-ac76-466c-8630-eb850abea18e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 23:59:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

970E50F0F34448DA6DEBB6BEB407619F

SHA1:

2C4BB2FBD9BE1A9C169AB6C8566F5B92DBD9A209

SHA256:

FCB517BF55536B2B7A28E104B740029065FAFD66B023CE4849C382F7BB9A26A0

SSDEEP:

98304:Vq4FxgVh7lg9q5Jk+l/ctpVP10yxNGoPCRImXFj9DM5FzwP9PtSRbzpMaZAY6gbR:5r/KiSDJkAa8H3Z3q0ewtVsyhF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Cleush.exe (PID: 7452)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Cleush.exe (PID: 7452)

    • Executable content was dropped or overwritten

      • Cleush.exe (PID: 7452)

    • The process drops C-runtime libraries

      • Cleush.exe (PID: 7452)

    • Process drops legitimate windows executable

      • Cleush.exe (PID: 7452)

    • Application launched itself

      • Cleush.exe (PID: 7452)

    • Loads Python modules

      • Cleush.exe (PID: 7908)

    • Starts CMD.EXE for commands execution

      • Cleush.exe (PID: 7908)

    • Reads security settings of Internet Explorer

      • Cleush.exe (PID: 7452)

  • INFO

    • Checks supported languages

      • Cleush.exe (PID: 7452)
      • Cleush.exe (PID: 7908)

    • The sample compiled with english language support

      • Cleush.exe (PID: 7452)

    • Create files in a temporary directory

      • Cleush.exe (PID: 7452)

    • Reads the computer name

      • Cleush.exe (PID: 7908)
      • Cleush.exe (PID: 7452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:09 16:11:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 145408
InitializedDataSize: 14157824
UninitializedDataSize: -
EntryPoint: 0xd35c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX cleush.exe conhost.exe no specs cleush.exe no specs cmd.exe no specs rundll32.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7272C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7452"C:\Users\admin\AppData\Local\Temp\Cleush.exe" C:\Users\admin\AppData\Local\Temp\Cleush.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cleush.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
7460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCleush.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7908C:\Users\admin\AppData\Local\Temp\Cleush.exeC:\Users\admin\AppData\Local\Temp\Cleush.exeCleush.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cleush.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
8016C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exeCleush.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 733
Read events
3 733
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
590
Text files
8
Unknown types
7

Dropped files

PID
Process
Filename
Type
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_asyncio.pydexecutable
MD5:70DEC3CE00E5CAF45246736B53EA3AD0
SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\main.dllexecutable
MD5:03361B8A0785024FBF3B502DA258BBA1
SHA256:F28FB51179C12A4E5A86F5EBC2D6A3EC7332F6813E2CACC64CBFD3F9EAFD3DFD
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_cffi_backend.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_bz2.pydexecutable
MD5:057325E89B4DB46E6B18A52D1A691CAA
SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_hashlib.pydexecutable
MD5:CF4120BAD9A7F77993DD7A95568D83D7
SHA256:14765E83996FE6D50AEDC11BB41D7C427A3E846A6A6293A4A46F7EA7E3F14148
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_socket.pydexecutable
MD5:69C4A9A654CF6D1684B73A431949B333
SHA256:8DAEFAFF53E6956F5AEA5279A7C71F17D8C63E2B0D54031C3B9E82FCB0FB84DB
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_decimal.pydexecutable
MD5:F465C15E7BACEAC920DC58A5FB922C1C
SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_ssl.pydexecutable
MD5:CE19076F6B62292ED66FD06E5BA67BBA
SHA256:21CA71B2C1766FC68734CB3D1E7C2C0439B86BCFB95E00B367C5FD48C59E617C
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_overlapped.pydexecutable
MD5:51E4C701E4EFA92A56ADAF5BDC9CF49B
SHA256:9EF177DB14CFA3AA66193078C431A96B6AE70858E9DD774B3D3E3CB6E39D10A3
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_wmi.pydexecutable
MD5:E3213CF44340D7B4CB65F7231A65E3A4
SHA256:AB87FE4B0CF5B2B17901905EA86367B9756C44845EB463E77435648F0F719354
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.131
  • 40.126.31.129
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cleush.exe