File name:

eld3.exe

Full analysis: https://app.any.run/tasks/32638428-cc4e-4994-8cfa-970305fa0047
Verdict: Malicious activity
Analysis date: December 21, 2025, 06:15:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anti-evasion
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

CDB67B1C54903F223F7DCCA14AEA67DF

SHA1:

DAC11017ABB2D6D196A527C2101AA7077EBC8910

SHA256:

4FF37E0D4B7D74C84BD26AE956A71441D8595F22C4EF1C9DB6FBFC1EE2325F5F

SSDEEP:

98304:AO0/TtJF80nZZ3NteNQCrak9Sz4yEtZxrSxdG2i+6Y0YTShZMPeZznZXgD5x932N:0TLKZUbmIaUkM0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • eld3.exe (PID: 7532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eld3.exe (PID: 7512)

    • Process drops legitimate windows executable

      • eld3.exe (PID: 7512)

    • The process drops C-runtime libraries

      • eld3.exe (PID: 7512)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7552)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7608)

    • Application launched itself

      • eld3.exe (PID: 7512)

    • Starts CMD.EXE for commands execution

      • eld3.exe (PID: 7532)

    • Process drops python dynamic module

      • eld3.exe (PID: 7512)

    • Loads Python modules

      • eld3.exe (PID: 7532)

  • INFO

    • Create files in a temporary directory

      • eld3.exe (PID: 7512)

    • Checks supported languages

      • eld3.exe (PID: 7532)
      • eld3.exe (PID: 7512)

    • The sample compiled with english language support

      • eld3.exe (PID: 7512)

    • Reads the computer name

      • eld3.exe (PID: 7512)
      • eld3.exe (PID: 7532)

    • Launching a file from a Registry key

      • eld3.exe (PID: 7532)

    • Reads the machine GUID from the registry

      • eld3.exe (PID: 7532)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7608)

    • Checks proxy server information

      • eld3.exe (PID: 7532)

    • PyInstaller has been detected (YARA)

      • eld3.exe (PID: 7532)
      • eld3.exe (PID: 7512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2021:04:15 05:29:57+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.28
CodeSize: 134656
InitializedDataSize: 141312
UninitializedDataSize: -
EntryPoint: 0x88fc
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eld3.exe eld3.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5408C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7512"C:\Users\admin\AppData\Local\Temp\eld3.exe" C:\Users\admin\AppData\Local\Temp\eld3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\eld3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7532"C:\Users\admin\AppData\Local\Temp\eld3.exe" C:\Users\admin\AppData\Local\Temp\eld3.exe
eld3.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\eld3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7552C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeeld3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7608wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
759
Read events
758
Write events
1
Delete events
0

Modification events

(PID) Process:(7532) eld3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:autogen
Value:
C:\Users\admin\AppData\Local\Temp\eld3.exe
Executable files
14
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_lzma.pydexecutable
MD5:A567A2ECB4737E5B70500EAC25F23049
SHA256:A4CBA6D82369C57CB38A32D4DACB99225F58206D2DD9883F6FC0355D6DDAEC3D
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_ssl.pydexecutable
MD5:D429FF3FD91943AD8539C076C2A0C75F
SHA256:45C8B99BA9E832CAB85E9D45B5601B7A1D744652E7F756EC6A6091E1D8398DD4
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_socket.pydexecutable
MD5:D7E7A7592338CE88E131F858A84DEEC6
SHA256:4BA5D0E236711BDCB29CE9C3138406F7321BD00587B6B362B4ACE94379CF52D5
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_ctypes.pydexecutable
MD5:2F21F50D2252E3083555A724CA57B71E
SHA256:09887F07F4316057D3C87E3A907C2235DC6547E54ED4F5F9125F99E547D58BCE
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_hashlib.pydexecutable
MD5:C3B19AD5381B9832E313A448DE7C5210
SHA256:BDF4A536F783958357D2E0055DEBDC3CF7790EE28BEB286452EEC0354A346BDC
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\certifi\cacert.pemtext
MD5:3DCD08B803FBB28231E18B5D1EEF4258
SHA256:DE2FA17C4D8AE68DC204A1B6B58B7A7A12569367CFEB8A3A4E1F377C73E83E9E
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\_bz2.pydexecutable
MD5:4079B0E80EF0F97CE35F272410BD29FE
SHA256:466D21407F5B589B20C464C51BFE2BE420E5A586A7F394908448545F16B08B33
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\libssl-1_1-x64.dllexecutable
MD5:4EC3C7FE06B18086F83A18FFBB3B9B55
SHA256:9D35D8DD9854A4D4205AE4EAFE28C92F8D0E3AC7C494AC4A6A117F6E4B45170C
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\pyexpat.pydexecutable
MD5:C07E41D262AFD5EA693D38D7217E0AB0
SHA256:3AEA3048FD56F0E4CEA65401D36DF2185F516AA31FCF92F93C28E569072246BB
7512eld3.exeC:\Users\admin\AppData\Local\Temp\_MEI75122\unicodedata.pydexecutable
MD5:7D1F105CF81820BB6D0962B669897DDE
SHA256:71B13FD922190081D3AEEC8628BD72858CC69EE553E16BF3DA412F535108D0E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
28
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
7072
svchost.exe
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
7072
svchost.exe
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
508
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
508
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
508
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
7072
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1784
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1784
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1784
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6500
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7532
eld3.exe
94.75.227.181:80
peerycli.com
LEASEWEB-NL-AMS-01 Netherlands
NL
whitelisted
7072
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7072
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1784
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
peerycli.com
  • 94.75.227.181
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.138
  • 20.190.160.4
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.131
  • 20.190.160.130
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 88.221.169.152
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eld3.exe