File name:

EliteMEGA.exe

Full analysis: https://app.any.run/tasks/5d0d20c5-0032-4a89-a4eb-209ceebdd6ae
Verdict: Malicious activity
Analysis date: June 21, 2025, 19:51:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

B8955763C07B0A4D7FBC40C2F8651ECB

SHA1:

6C4223F3A5CAC77FF19235BA769894B363B31113

SHA256:

DB6DF8D9AE5E8E6DB0C33DD7A282FB2FC917829358F9E104EDB8ED715398383B

SSDEEP:

98304:3C3CpAmOAMBtg3Rm1T8OFOMYFr3ZyUuYA3w31a+kzK/7ueSnKHdyIS0x8UBAoFq2:6xia2ztwkWR7fGDfarL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • EliteMEGA.exe (PID: 3976)

    • Executable content was dropped or overwritten

      • EliteMEGA.exe (PID: 3976)

    • The process drops C-runtime libraries

      • EliteMEGA.exe (PID: 3976)

    • Process drops python dynamic module

      • EliteMEGA.exe (PID: 3976)

    • Application launched itself

      • EliteMEGA.exe (PID: 3976)

    • Loads Python modules

      • EliteMEGA.exe (PID: 7048)

  • INFO

    • Checks supported languages

      • EliteMEGA.exe (PID: 3976)
      • EliteMEGA.exe (PID: 7048)

    • The sample compiled with english language support

      • EliteMEGA.exe (PID: 3976)

    • Create files in a temporary directory

      • EliteMEGA.exe (PID: 3976)

    • Reads the computer name

      • EliteMEGA.exe (PID: 3976)
      • EliteMEGA.exe (PID: 7048)

    • Reads the machine GUID from the registry

      • EliteMEGA.exe (PID: 7048)

    • Checks proxy server information

      • slui.exe (PID: 6236)

    • Reads the software policy settings

      • slui.exe (PID: 6236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 19:46:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start elitemega.exe elitemega.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\Desktop\EliteMEGA.exe" C:\Users\admin\Desktop\EliteMEGA.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\elitemega.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7048"C:\Users\admin\Desktop\EliteMEGA.exe" C:\Users\admin\Desktop\EliteMEGA.exeEliteMEGA.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\elitemega.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 671
Read events
3 671
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\VCRUNTIME140.dllexecutable
MD5:11D9AC94E8CB17BD23DEA89F8E757F18
SHA256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_queue.pydexecutable
MD5:C9EE37E9F3BFFD296ADE10A27C7E5B50
SHA256:9ECEC72C5FE3C83C122043CAD8CEB80D239D99D03B8EA665490BBCED183CE42A
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_asyncio.pydexecutable
MD5:6C2A86342ADE2FAC9454B83A49D17694
SHA256:CF0EDFD508D11BFFB63D1B104B6099E0F14EA0FADA762F88364E7163F2185F06
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_overlapped.pydexecutable
MD5:5BFE7D9E1877FDDE718BB84B67D8BE68
SHA256:FE5666C1C8215CD2773744C815FB4A3B2F52F64CF0DDE25D458441DA22BF5568
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_ssl.pydexecutable
MD5:11C5008E0BA2CAA8ADF7452F0AAAFD1E
SHA256:BF63F44951F14C9D0C890415D013276498D6D59E53811BBE2FA16825710BEA14
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:1DC5B99C16502D75DD924EEDA562461C
SHA256:4E08856FF5203592C27F943F5586D2214B7C5DACDE1B1EF75C2316590AB788C9
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_ctypes.pydexecutable
MD5:79F339753DC8954B8EB45FE70910937E
SHA256:35CDD122679041EBEF264DE5626B7805F3F66C8AE6CC451B8BC520BE647FA007
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_decimal.pydexecutable
MD5:1CDD7239FC63B7C8A2E2BC0A08D9EA76
SHA256:384993B2B8CFCBF155E63F0EE2383A9F9483DE92AB73736FF84590A0C4CA2690
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_multiprocessing.pydexecutable
MD5:FCE357F864A558C03ED17755F87D0E30
SHA256:000486AAAC9DD21E88B3DC65FD854DD83519B1FBCC224A70530BC3EC8CBD1A5D
3976EliteMEGA.exeC:\Users\admin\AppData\Local\Temp\_MEI39762\_bz2.pydexecutable
MD5:B45E82A398713163216984F2FEBA88F6
SHA256:4C2649DC69A8874B91646723AACB84C565EFEAA4277C46392055BCA9A10497A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
47
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1812
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1812
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.66
  • 20.190.160.4
  • 20.190.160.128
  • 40.126.32.134
  • 20.190.160.67
  • 40.126.32.72
  • 40.126.32.76
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EliteMEGA.exe