File name:

Cleush.exe

Full analysis: https://app.any.run/tasks/ccc45464-ac76-466c-8630-eb850abea18e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 23:59:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

970E50F0F34448DA6DEBB6BEB407619F

SHA1:

2C4BB2FBD9BE1A9C169AB6C8566F5B92DBD9A209

SHA256:

FCB517BF55536B2B7A28E104B740029065FAFD66B023CE4849C382F7BB9A26A0

SSDEEP:

98304:Vq4FxgVh7lg9q5Jk+l/ctpVP10yxNGoPCRImXFj9DM5FzwP9PtSRbzpMaZAY6gbR:5r/KiSDJkAa8H3Z3q0ewtVsyhF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Cleush.exe (PID: 7452)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Cleush.exe (PID: 7452)

    • Process drops python dynamic module

      • Cleush.exe (PID: 7452)

    • Executable content was dropped or overwritten

      • Cleush.exe (PID: 7452)

    • Process drops legitimate windows executable

      • Cleush.exe (PID: 7452)

    • Application launched itself

      • Cleush.exe (PID: 7452)

    • Loads Python modules

      • Cleush.exe (PID: 7908)

    • Starts CMD.EXE for commands execution

      • Cleush.exe (PID: 7908)

    • Reads security settings of Internet Explorer

      • Cleush.exe (PID: 7452)

  • INFO

    • Checks supported languages

      • Cleush.exe (PID: 7452)
      • Cleush.exe (PID: 7908)

    • The sample compiled with english language support

      • Cleush.exe (PID: 7452)

    • Create files in a temporary directory

      • Cleush.exe (PID: 7452)

    • Reads the computer name

      • Cleush.exe (PID: 7908)
      • Cleush.exe (PID: 7452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:09 16:11:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 145408
InitializedDataSize: 14157824
UninitializedDataSize: -
EntryPoint: 0xd35c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX cleush.exe conhost.exe no specs cleush.exe no specs cmd.exe no specs rundll32.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7272C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7452"C:\Users\admin\AppData\Local\Temp\Cleush.exe" C:\Users\admin\AppData\Local\Temp\Cleush.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cleush.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
7460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCleush.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7908C:\Users\admin\AppData\Local\Temp\Cleush.exeC:\Users\admin\AppData\Local\Temp\Cleush.exeCleush.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cleush.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
8016C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exeCleush.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 733
Read events
3 733
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
590
Text files
8
Unknown types
7

Dropped files

PID
Process
Filename
Type
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_decimal.pydexecutable
MD5:F465C15E7BACEAC920DC58A5FB922C1C
SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_socket.pydexecutable
MD5:69C4A9A654CF6D1684B73A431949B333
SHA256:8DAEFAFF53E6956F5AEA5279A7C71F17D8C63E2B0D54031C3B9E82FCB0FB84DB
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_asyncio.pydexecutable
MD5:70DEC3CE00E5CAF45246736B53EA3AD0
SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_cffi_backend.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\main.dllexecutable
MD5:03361B8A0785024FBF3B502DA258BBA1
SHA256:F28FB51179C12A4E5A86F5EBC2D6A3EC7332F6813E2CACC64CBFD3F9EAFD3DFD
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_uuid.pydexecutable
MD5:CCF609AE4416F13FCB80A122C4345348
SHA256:99E97E0AF615F43150778AAA44D82BC58B70BF595A8412CFAFCC5D38BE38BDFB
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_multiprocessing.pydexecutable
MD5:24AEE7D83525CB43AD02FD3116B28274
SHA256:3262EC7496D397C0B6BFB2F745516E9E225BD9246F78518852C61D559AA89485
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_ctypes.pydexecutable
MD5:2185849BC0423F6641EE30804F475478
SHA256:199CD8D7DB743C316771EF7BBF414BA9A9CDAE1F974E90DA6103563B2023538D
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_ssl.pydexecutable
MD5:CE19076F6B62292ED66FD06E5BA67BBA
SHA256:21CA71B2C1766FC68734CB3D1E7C2C0439B86BCFB95E00B367C5FD48C59E617C
7452Cleush.exeC:\Users\admin\AppData\Local\Temp\onefile_7452_133920863700617098\_queue.pydexecutable
MD5:59C05030E47BDE800AD937CCB98802D8
SHA256:E4956834DF819C1758D17C1C42A152306F7C0EA7B457CA24CE2F6466A6CB1CAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.131
  • 40.126.31.129
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cleush.exe