File name:

_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe

Full analysis: https://app.any.run/tasks/d8236e2b-cc08-4053-8b1c-1ac3f4e8a8ae
Verdict: Malicious activity
Threats:

DonutLoader is a versatile, open-source-based in-memory loader that turns .NET assemblies, executables, DLLs, and scripts into position-independent shellcode for execution entirely in RAM. Originally derived from the popular Donut tool, it enables threat actors to bypass traditional antivirus and EDR solutions by avoiding disk writes and injecting payloads directly into legitimate Windows processes.

Malware Trends Tracker     >>>
Analysis date: April 30, 2026, 15:39:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
donutloader
loader
pulsar
rat
inno
installer
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

69C45677CA158E6ECCBAFCFA02197E50

SHA1:

698666DC37205D2B50D7108E50011ECEC44446AF

SHA256:

1E49E5F2D02D715B5E77EDC22C6E738306D27B0151E7A8C33AD6AD192617B975

SSDEEP:

49152:shICbaFCqJxai4zBMk21JG77AH/qfXwLQUxjoMFaa:shIfFC4Yv2fG78H/sI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • PULSAR has been detected (YARA)

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • DONUTLOADER has been detected (YARA)

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • Reads the machine GUID from the registry

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • Reads Environment values

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • Checks supported languages

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • There is functionality for taking screenshot (YARA)

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • Detects InnoSetup installer (YARA)

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)

    • Application based on Rust

      • _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe (PID: 7200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:04:30 14:07:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 1335296
InitializedDataSize: 732672
UninitializedDataSize: -
EntryPoint: 0x13ef10
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.15.8.0
ProductVersionNumber: 1.15.8.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Google
FileDescription: Antigravity Setup
FileVersion: 1.15.8
LegalCopyright:
OriginalFileName:
ProductName: Antigravity
ProductVersion: 1.15.8
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PULSAR _1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7200"C:\Users\admin\Desktop\_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe" C:\Users\admin\Desktop\_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
explorer.exe
User:
admin
Company:
Google
Integrity Level:
MEDIUM
Description:
Antigravity Setup
Version:
1.15.8
Modules
Images
c:\users\admin\desktop\_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
46
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
GET
302
140.82.121.3:443
https://github.com/DharmahTeach/Texts/raw/refs/heads/main/uploads/a6f9d7d681664bbf.dat
US
whitelisted
6508
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
GET
302
140.82.121.3:443
https://github.com/DharmahTeach/Texts/raw/refs/heads/main/uploads/a6f9d7d681664bbf.dat
US
7984
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
7984
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/DharmahTeach/Texts/refs/heads/main/uploads/a6f9d7d681664bbf.dat
US
binary
1.61 Mb
whitelisted
1456
slui.exe
POST
500
128.24.231.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
GET
200
185.199.108.133:443
https://raw.githubusercontent.com/DharmahTeach/Texts/refs/heads/main/uploads/a6f9d7d681664bbf.dat
US
binary
1.61 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5276
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5412
slui.exe
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7984
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7984
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7984
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 128.24.231.65
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
google.com
  • 142.251.20.100
  • 142.251.20.113
  • 142.251.20.139
  • 142.251.20.101
  • 142.251.20.102
  • 142.251.20.138
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 2.22.114.96
whitelisted
github.com
  • 140.82.121.3
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.128
  • 20.190.159.129
  • 20.190.159.0
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted

Threats

PID
Process
Class
Message
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
A Network Trojan was detected
ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
A Network Trojan was detected
ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
A Network Trojan was detected
ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
7200
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe
A Network Trojan was detected
ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_1e49e5f2d02d715b5e77edc22c6e738306d27b0151e7a8c33ad6ad192617b975.exe