File name:	ESET-KeyGen_v1.5.4.7_win64.exe
Full analysis:	https://app.any.run/tasks/aad3d8a1-c17b-4758-bde0-d3ae26dc40e7
Verdict:	Malicious activity
Analysis date:	April 22, 2025, 00:28:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python pyinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	DE5080D848A92877212B8DBA67DDAB78
SHA1:	580E9345668656414B0873D04D2C79ABF0362775
SHA256:	ED25F651FF3DD184FB3B34DA17F0DBA68B91F578A00CE058D3D784B837F51452
SSDEEP:	98304:Kxb241Nu8MXsHQtSpupvGPW37nc9XLDbenkuA83wpYp2tww6M+/ggDgJx69Xzyxd:NE3sq9K570uYF5XM49wuK+W

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:04:09 15:38:20+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	178688
InitializedDataSize:	153600
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Filename		Type
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_ctypes.pyd		executable
		MD5:A1E9B3CC6B942251568E59FD3C342205	SHA256:A8703F949C9520B76CB1875D1176A23A2B3EF1D652D6DFAC6E1DE46DC08B2AA3
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_decimal.pyd		executable
		MD5:FF0BF710EB2D7817C49E1F4E21502073	SHA256:C6EB532DA62A115AE75F58766B632E005140A2E7C9C67A77564F1804685A377F
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\VCRUNTIME140.dll		executable
		MD5:F34EB034AA4A9735218686590CBA2E8B	SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_bz2.pyd		executable
		MD5:B024A6F227EAFA8D43EDFC1A560FE651	SHA256:C0DD9496B19BA9536A78A43A97704E7D4BEF3C901D196ED385E771366682819D
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_hashlib.pyd		executable
		MD5:69DC506CF2FA3DA9D0CABA05FCA6A35D	SHA256:C5B8C4582E201FEF2D8CB2C8672D07B86DEC31AFB4A17B758DBFB2CFF163B12F
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_asyncio.pyd		executable
		MD5:A3F434F6CFD2F339876E7D345FE178FB	SHA256:102043B17C20043E4624F60E444131382363B69FF0E683C13FA17AF156766483
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-fibers-l1-1-1.dll		executable
		MD5:050A30A687E7A2FA6F086A0DB89AA131	SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_overlapped.pyd		executable
		MD5:FA44F2AC914B98BCEC6DD102EC612F87	SHA256:AC33B6B3AACC31D2DB8A502110881B4B711E2FB94983F85581E30953C9AC4721
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\_uuid.pyd		executable
		MD5:D7074A9D35ED4FF90B93660ED4F1BA75	SHA256:C4CE019FBD541918D3E7DDF7845BF0449068FC7EEE3B57DA730860FC7741D561
7524	ESET-KeyGen_v1.5.4.7_win64.exe	C:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:9F45A47EBFD9D0629F4935764243DD5A	SHA256:1CA895ABA4E7435563A6B43E85EBA67A0F8C74AA6A6A94D0FC48FA35535E2585

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6392	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6392	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7888	SIHClient.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7888	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7888	SIHClient.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
7888	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6392	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6392	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6392	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
login.live.com	20.190.160.132 40.126.32.138 20.190.160.17 20.190.160.22 20.190.160.66 40.126.32.140 40.126.32.76 40.126.32.72	whitelisted
google.com	172.217.23.110	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156 2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted

General Info

ESET-KeyGen_v1.5.4.7_win64.exe

DE5080D848A92877212B8DBA67DDAB78

580E9345668656414B0873D04D2C79ABF0362775

ED25F651FF3DD184FB3B34DA17F0DBA68B91F578A00CE058D3D784B837F51452

98304:Kxb241Nu8MXsHQtSpupvGPW37nc9XLDbenkuA83wpYp2tww6M+/ggDgJx69Xzyxd:NE3sq9K570uYF5XM49wuK+W

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Loads Python modules

Application launched itself

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Reads the computer name

PyInstaller has been detected (YARA)

Checks operating system version

Reads the machine GUID from the registry

Drops encrypted JS script (Microsoft Script Encoder)

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings