File name:

EpicGamesLauncher.exe

Full analysis: https://app.any.run/tasks/a9794c37-d13e-43b0-b45b-594ed19196e1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 20:54:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
trox
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

BD36A16E7B525779053C4136E7692A10

SHA1:

DE73DE145B82F3DFC8EDBC305E9F0D3E243E2EE4

SHA256:

D95924539739978E669B3D57073006F7A156DF4B4AAC68BECFC6035E87708DC7

SSDEEP:

98304:Xi56ac7SEjgOkFuvtshnSBWcE4tpSxVnQ/EM1R42MdyL2SPlKsgh4upjJFb66xwj:U84PPsL4xhya8Cm4Oou1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • EpicGamesLauncher.exe (PID: 6808)

  • SUSPICIOUS

    • Process drops python dynamic module

      • EpicGamesLauncher.exe (PID: 6808)

    • Process drops legitimate windows executable

      • EpicGamesLauncher.exe (PID: 6808)

    • Executable content was dropped or overwritten

      • EpicGamesLauncher.exe (PID: 6808)

    • The process drops C-runtime libraries

      • EpicGamesLauncher.exe (PID: 6808)

    • Loads Python modules

      • main.exe (PID: 2116)

    • Reads security settings of Internet Explorer

      • EpicGamesLauncher.exe (PID: 6808)

  • INFO

    • Checks supported languages

      • EpicGamesLauncher.exe (PID: 6808)
      • main.exe (PID: 2116)

    • Create files in a temporary directory

      • EpicGamesLauncher.exe (PID: 6808)

    • The sample compiled with english language support

      • EpicGamesLauncher.exe (PID: 6808)

    • Reads the machine GUID from the registry

      • main.exe (PID: 2116)

    • Reads the computer name

      • EpicGamesLauncher.exe (PID: 6808)

    • Checks proxy server information

      • slui.exe (PID: 6320)

    • Reads the software policy settings

      • slui.exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:29 16:14:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 131072
InitializedDataSize: 9652736
UninitializedDataSize: -
EntryPoint: 0xbd34
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 16.10.0.0
ProductVersionNumber: 16.10.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Epic Games, Inc.
ProductName: Unreal Engine
FileDescription: EpicGamesLauncher
LegalCopyright: Copyright Epic Games, Inc. All Rights Reserved.
ProductVersion: 16.10.0.0
FileVersion: 16.10.0.0
OriginalFileName: main.exe
InternalName: main
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX epicgameslauncher.exe main.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2116"C:\Users\admin\Desktop\EpicGamesLauncher.exe" C:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\main.exeEpicGamesLauncher.exe
User:
admin
Company:
Epic Games, Inc.
Integrity Level:
MEDIUM
Description:
EpicGamesLauncher
Exit code:
0
Version:
16.10.0.0
Modules
Images
c:\users\admin\appdata\local\temp\onefile_6808_133963088555914643\main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\onefile_6808_133963088555914643\python310.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
6320C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6808"C:\Users\admin\Desktop\EpicGamesLauncher.exe" C:\Users\admin\Desktop\EpicGamesLauncher.exe
explorer.exe
User:
admin
Company:
Epic Games, Inc.
Integrity Level:
MEDIUM
Description:
EpicGamesLauncher
Exit code:
0
Version:
16.10.0.0
Modules
Images
c:\users\admin\desktop\epicgameslauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
3 992
Read events
3 992
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_bz2.pydexecutable
MD5:BBE89CF70B64F38C67B7BF23C0EA8A48
SHA256:775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_socket.pydexecutable
MD5:0F5E64E33F4D328EF11357635707D154
SHA256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_cffi_backend.pydexecutable
MD5:EBB660902937073EC9695CE08900B13D
SHA256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_decimal.pydexecutable
MD5:6339FA92584252C3B24E4CCE9D73EF50
SHA256:4AE6F6FB3992BB878416211221B3D62515E994D78F72EAB51E0126CA26D0EE96
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_hashlib.pydexecutable
MD5:D856A545A960BF2DCA1E2D9BE32E5369
SHA256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\_ctypes.pydexecutable
MD5:CA4CEF051737B0E4E56B7D597238DF94
SHA256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\main.exeexecutable
MD5:309BF4E6F1AA6EF0924643B11E01788B
SHA256:9AFD754F41B5C8B3EC151202279AE6CFB54AAE02BD8BEBB96E58467CAE11CAFF
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\python310.dllexecutable
MD5:DEAF0C0CC3369363B800D2E8E756A402
SHA256:156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\unicodedata.pydexecutable
MD5:4C8AF8A30813E9380F5F54309325D6B8
SHA256:4B6E3BA734C15EC789B5D7469A5097BD082BDFD8E55E636DED0D097CF6511E05
6808EpicGamesLauncher.exeC:\Users\admin\AppData\Local\Temp\onefile_6808_133963088555914643\select.pydexecutable
MD5:C119811A40667DCA93DFE6FAA418F47A
SHA256:8F27CD8C5071CB740A2191B3C599E99595B121F461988166F07D9F841E7116B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5708
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5944
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EpicGamesLauncher.exe