File name:	loader.exe
Full analysis:	https://app.any.run/tasks/86fc17b7-835b-46bd-97fa-410b87072837
Verdict:	Malicious activity
Threats:	DonutLoader is a versatile, open-source-based in-memory loader that turns .NET assemblies, executables, DLLs, and scripts into position-independent shellcode for execution entirely in RAM. Originally derived from the popular Donut tool, it enables threat actors to bypass traditional antivirus and EDR solutions by avoiding disk writes and injecting payloads directly into legitimate Windows processes. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	April 22, 2026, 20:07:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	miner lofty loader auto generic donutloader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 11 sections
MD5:	F565F9BDF513897F94DE8FD32AC82C3E
SHA1:	9A50751FE405C9416564E01D7952EC94C8E75572
SHA256:	910E62ED170C06A24102706986D3789BAE2B3E0618B6D1BE876FE4054B732E7B
SSDEEP:	98304:nDZZkkQQfPifnPL85vlx6aX9ZC5pGVFwjyka/iDONC9alAOjTJsvgDk6Pt40RTEz:7iUr1bknoDkGbc6

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2026:04:22 12:59:24+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	3724288
InitializedDataSize:	2471936
UninitializedDataSize:	-
EntryPoint:	0x8c1000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	Loader
FileVersion:	1.0.0.0
InternalName:	loader.exe
LegalCopyright:	Copyright (C) 2025
OriginalFileName:	loader.exe
ProductName:	Loader
ProductVersion:	1.0.0.0


(PID) Process:	(1280) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1280) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1280) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\ox_1776888464033\|adde07f55a6aff50
Operation:	write	Name:	ProgramId
Value: 000684d7560fbb18b757a525e271eb2dc6010000ffff
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\ox_1776888464033\|adde07f55a6aff50
Operation:	write	Name:	FileId
Value: 00000d73d709f61dcd7d58984dd154c50b925049689c
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\ox_1776888464033\|adde07f55a6aff50
Operation:	write	Name:	LowerCaseLongPath
Value: c:\users\admin\appdata\local\temp\ox_1776888464033.exe
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\ox_1776888464033\|adde07f55a6aff50
Operation:	write	Name:	LongPathHash
Value: ox_1776888464033\|adde07f55a6aff50
(PID) Process:	(8188) WerFault.exe	Key:	\REGISTRY\A\{cf0ecd2d-4206-ccf4-4257-ca8ab55c76bf}\Root\InventoryApplicationFile\ox_1776888464033\|adde07f55a6aff50
Operation:	write	Name:	Name
Value: ox_1776888464033.exe

PID	Process	Filename		Type
8188	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ox_1776888464033_fcfff249ca5cccdf56dc408a58af357eee1dae_cd031579_dcbaba43-c355-4270-8d01-7a8e0cc584b0\Report.wer		—
		MD5:—	SHA256:—
1280	loader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Retev[1].htm		executable
		MD5:D712BE26FE4BBD0EE1FC9156EA74B705	SHA256:600FD59A6114E08606F4BBC881C1C156193FF01371E1144A05CA787D365E067D
8188	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BA2.tmp.dmp		binary
		MD5:04732360BC170BD3DD678E07E561B926	SHA256:39D5DF4E29AADBE27DCF5647961E5B3464FD0052BFC70A4CE99796ADEE1B2CEC
1280	loader.exe	C:\Users\admin\AppData\Local\Temp\ox_1776888464033.exe		executable
		MD5:D712BE26FE4BBD0EE1FC9156EA74B705	SHA256:600FD59A6114E08606F4BBC881C1C156193FF01371E1144A05CA787D365E067D
8188	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		binary
		MD5:EE9EE221F8CD1BDFDE4F860A9A639497	SHA256:97ED179B643AF2FA0961B7B37DC5B5631ADE3139CFA657DB16457DD1A77C3C0A
8188	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C30.tmp.xml		xml
		MD5:191C648D50245BC7CCC424D03475CE8D	SHA256:AF1B9C70B93285DCF4A610EB176D21E7FE59774C727BA28BFA2EE99A416730F2
8188	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C00.tmp.WERInternalMetadata.xml		xml
		MD5:CC2A695FC6CAB89557B1027C6DBCBB60	SHA256:9F5E0E44AD5CB04CE1BEF1B6AD8D7C0BE58B86B2456CB71D5E3882A9F0385A11
7512	MicrosoftEdgeWebview2Setup.exe	C:\Program Files (x86)\Microsoft\Temp\EU49B7.tmp\MicrosoftEdgeUpdateOnDemand.exe		executable
		MD5:7BCCF980A418155EED445DD5B84B96E0	SHA256:6B6750096417F6E91C4F649B34AFD5DF5216DA169A696BC9E241BD836A67BBFD
7512	MicrosoftEdgeWebview2Setup.exe	C:\Program Files (x86)\Microsoft\Temp\EU49B7.tmp\MicrosoftEdgeUpdateBroker.exe		executable
		MD5:E212E9CE45C567C7DBCE9BB326EF41E3	SHA256:9069297ADD7ADC264CBE198B6B2342C8248B994CBA1857231D9B6972339609AC
7512	MicrosoftEdgeWebview2Setup.exe	C:\Program Files (x86)\Microsoft\Temp\EU49B7.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe		executable
		MD5:4915479A8F28D2E3AD6B4F787A30574D	SHA256:122EBEBBCD93B4F9DE1E1938D9DDA5D46F5C7B6DA1E0CE2C2EC1CBE2058C5AF1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6076	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6076	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
2436	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
—	—	GET	200	188.114.97.3:443	https://vcc-redistributable.help/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt	US	executable	277 Kb	unknown
—	—	POST	200	40.126.31.1:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
—	—	POST	400	40.126.31.1:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
1280	loader.exe	GET	200	188.114.96.3:443	https://vcc-redistributable.help/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt	US	executable	277 Kb	malicious
2436	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.241.205:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6076	svchost.exe	2.16.164.49:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6076	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	2.16.241.205 2.16.241.207 2.16.241.218	whitelisted
google.com	142.251.110.101 142.251.110.102 142.251.110.138 142.251.110.100 142.251.110.113 142.251.110.139	whitelisted
crl.microsoft.com	2.16.164.49 23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	23.59.18.102 88.221.169.152	whitelisted
vcc-redistributable.help	188.114.96.3 188.114.97.3	unknown
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
login.live.com	40.126.31.71 40.126.31.131 20.190.159.75 40.126.31.67 20.190.159.68 40.126.31.3 40.126.31.73 40.126.31.128	whitelisted
watson.events.data.microsoft.com	135.233.45.221	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed UA-CPU Header
—	—	A Network Trojan was detected	ET MALWARE Possible Windows executable sent when remote host claims to send html content
1280	loader.exe	Misc activity	ET INFO Observed UA-CPU Header
1280	loader.exe	A Network Trojan was detected	ET MALWARE Possible Windows executable sent when remote host claims to send html content
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Possible Win32/Generic Loader User-agent observed (loader)
1280	loader.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Possible Win32/Generic Loader User-agent observed (loader)
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Possible Win32/Generic Loader User-agent observed (loader)
—	—	Misc activity	ET INFO Packed Executable Download
1280	loader.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Possible Win32/Generic Loader User-agent observed (loader)
1280	loader.exe	Misc activity	ET INFO Packed Executable Download

Process	Message
loader.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
loader.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
loader.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
loader.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
msedgewebview2.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\1575709424\Overlays directory exists )

General Info

loader.exe

F565F9BDF513897F94DE8FD32AC82C3E

9A50751FE405C9416564E01D7952EC94C8E75572

910E62ED170C06A24102706986D3789BAE2B3E0618B6D1BE876FE4054B732E7B

98304:nDZZkkQQfPifnPL85vlx6aX9ZC5pGVFwjyka/iDONC9alAOjTJsvgDk6Pt40RTEz:7iUr1bknoDkGbc6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Mutex associated with miner detected

Starts NET.EXE for service management

LOFTY has been detected

GENERIC has been found (auto)

DONUTLOADER has been detected (YARA)

GENERIC has been detected (SURICATA)

SUSPICIOUS

Query current time using 'w32tm.exe'

Executable content was dropped or overwritten

Executable started from TEMP via cmd.exe

Executes application which crashes

Reads the date of Windows installation

Starts a Microsoft application from unusual location

Silent install from TEMP directory

Starts itself from another location

Creates/Modifies COM task schedule object

Executes as Windows Service

Disables SEHOP

Application launched itself

Searches for installed software

INFO

Reads security settings of Internet Explorer

The sample compiled with english language support

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Process checks computer location settings

Reads Environment values

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections