File name:

ESET-KeyGen_v1.5.4.7_win64.exe

Full analysis: https://app.any.run/tasks/aad3d8a1-c17b-4758-bde0-d3ae26dc40e7
Verdict: Malicious activity
Analysis date: April 22, 2025, 00:28:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

DE5080D848A92877212B8DBA67DDAB78

SHA1:

580E9345668656414B0873D04D2C79ABF0362775

SHA256:

ED25F651FF3DD184FB3B34DA17F0DBA68B91F578A00CE058D3D784B837F51452

SSDEEP:

98304:Kxb241Nu8MXsHQtSpupvGPW37nc9XLDbenkuA83wpYp2tww6M+/ggDgJx69Xzyxd:NE3sq9K570uYF5XM49wuK+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Process drops legitimate windows executable

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Starts CMD.EXE for commands execution

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • Process drops python dynamic module

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Loads Python modules

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • Application launched itself

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • The process drops C-runtime libraries

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

  • INFO

    • Checks supported languages

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)
      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • The sample compiled with english language support

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Reads the machine GUID from the registry

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • Reads the computer name

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Checks operating system version

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • PyInstaller has been detected (YARA)

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)
      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)

    • Checks proxy server information

      • slui.exe (PID: 8080)

    • Reads the software policy settings

      • slui.exe (PID: 8080)

    • Create files in a temporary directory

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7524)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • ESET-KeyGen_v1.5.4.7_win64.exe (PID: 7616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:09 15:38:20+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 178688
InitializedDataSize: 153600
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start eset-keygen_v1.5.4.7_win64.exe conhost.exe no specs eset-keygen_v1.5.4.7_win64.exe no specs cmd.exe no specs cmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7524"C:\Users\admin\Desktop\ESET-KeyGen_v1.5.4.7_win64.exe" C:\Users\admin\Desktop\ESET-KeyGen_v1.5.4.7_win64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\eset-keygen_v1.5.4.7_win64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeESET-KeyGen_v1.5.4.7_win64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7616"C:\Users\admin\Desktop\ESET-KeyGen_v1.5.4.7_win64.exe" C:\Users\admin\Desktop\ESET-KeyGen_v1.5.4.7_win64.exeESET-KeyGen_v1.5.4.7_win64.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\eset-keygen_v1.5.4.7_win64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7684C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeESET-KeyGen_v1.5.4.7_win64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7704C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeESET-KeyGen_v1.5.4.7_win64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
8080C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 622
Read events
3 622
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\_ctypes.pydexecutable
MD5:A1E9B3CC6B942251568E59FD3C342205
SHA256:A8703F949C9520B76CB1875D1176A23A2B3EF1D652D6DFAC6E1DE46DC08B2AA3
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\_bz2.pydexecutable
MD5:B024A6F227EAFA8D43EDFC1A560FE651
SHA256:C0DD9496B19BA9536A78A43A97704E7D4BEF3C901D196ED385E771366682819D
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\_asyncio.pydexecutable
MD5:A3F434F6CFD2F339876E7D345FE178FB
SHA256:102043B17C20043E4624F60E444131382363B69FF0E683C13FA17AF156766483
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB
SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\_queue.pydexecutable
MD5:328E41B501A51B58644C7C6930B03234
SHA256:2782CF3C04801EDE65011BE282E99CD34D163B2B2B2333FD3147B33F7D5E72AB
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\_socket.pydexecutable
MD5:CD56F508E7C305D4BFDEB820ECF3A323
SHA256:9E97B782B55400E5A914171817714BBBC713C0A396E30496C645FC82835E4B34
7524ESET-KeyGen_v1.5.4.7_win64.exeC:\Users\admin\AppData\Local\Temp\_MEI75242\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
46
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6392
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7888
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
7888
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
6392
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7888
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
7888
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6392
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6392
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6392
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.66
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.72
whitelisted
google.com
  • 172.217.23.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ESET-KeyGen_v1.5.4.7_win64.exe