File name:	bnyu.r
Full analysis:	https://app.any.run/tasks/311c6448-7c0a-461b-83ea-e13360d1383f
Verdict:	Malicious activity
Threats:	DonutLoader is a versatile, open-source-based in-memory loader that turns .NET assemblies, executables, DLLs, and scripts into position-independent shellcode for execution entirely in RAM. Originally derived from the popular Donut tool, it enables threat actors to bypass traditional antivirus and EDR solutions by avoiding disk writes and injecting payloads directly into legitimate Windows processes. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 22, 2026, 12:31:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer susp-powershell donutloader loader
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (47811), with CRLF line terminators
MD5:	A490AB0373F922D842891125441DD896
SHA1:	CBD86DB11499512F4894F0ED2FBC7ABF3BD513BD
SHA256:	9D0CE7A84E62E3458B82D682C7C3F97D095CB2FBA8CAA0263EE8929994990254
SSDEEP:	1536:n0UX4RhoAhDY/aS7TWfmVmli6Tao/W4w+6mnNYS8qF3BQz308KTjsgX7ThG1PuZC:n0s4kA2LYlDkSG7DfYx+


(PID) Process:	(8072) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
7608	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L1OJN83DC7ZOSMU4DY8Q.temp		binary
		MD5:2FF56949B1995965EA251A71FECF4F3A	SHA256:CB81A9831A880FBC202AE094ED8891405BA106864E1E1C4FEC508B76B9D1E913
7608	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:2FF56949B1995965EA251A71FECF4F3A	SHA256:CB81A9831A880FBC202AE094ED8891405BA106864E1E1C4FEC508B76B9D1E913
7608	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe0d4a.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
7608	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2szvuuws.xd2.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7608	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ydjzb05s.che.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
204	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bj3gg3se.3f5.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
204	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2rxledaw.na3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7608	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:CED81704A99B2649EB1F03CF7D7DD1B8	SHA256:766B01A06A3F9A828D2F3B26949AEB6AC964EAECE1A0921CE76CCA3F06DBBCC4
204	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:B3E9B84E6FD9AAE69ACD096485389919	SHA256:3FC008E3BEA6F9948BFDD70F91BA2F556CBB1B77083F075292FCD87FCD7E185E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
8072	slui.exe	POST	500	128.24.231.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
—	—	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
3044	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
3044	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6768	SIHClient.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	NL	binary	824 b	whitelisted
6768	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted
6768	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
6768	SIHClient.exe	GET	200	135.233.95.135:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
3044	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7380	slui.exe	128.24.231.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.241.205:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3044	svchost.exe	23.55.110.211:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
5276	MoUsoCoreWorker.exe	23.55.110.211:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
3044	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 20.73.194.208	whitelisted
activation-v2.sls.microsoft.com	128.24.231.64	whitelisted
www.bing.com	2.16.241.205 2.16.241.208 2.16.241.200 2.16.241.209 2.16.241.207 2.16.241.204 2.16.241.203 2.16.241.206 2.16.241.197	whitelisted
google.com	142.251.20.101 142.251.20.100 142.251.20.113 142.251.20.102 142.251.20.139 142.251.20.138	whitelisted
crl.microsoft.com	23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	88.221.169.152 23.52.181.212	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.159.64 20.190.159.129 40.126.31.131 40.126.31.71 20.190.159.68 20.190.159.75 20.190.159.2 20.190.159.73	whitelisted
tq.trxzidan.icu	188.114.96.3 188.114.97.3	unknown
slscr.update.microsoft.com	74.178.240.61	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .icu Domain
204	powershell.exe	Potentially Bad Traffic	ET INFO Suspicious Domain (*.icu) in TLS SNI

General Info

bnyu.r

A490AB0373F922D842891125441DD896

CBD86DB11499512F4894F0ED2FBC7ABF3BD513BD

9D0CE7A84E62E3458B82D682C7C3F97D095CB2FBA8CAA0263EE8929994990254

1536:n0UX4RhoAhDY/aS7TWfmVmli6Tao/W4w+6mnNYS8qF3BQz308KTjsgX7ThG1PuZC:n0s4kA2LYlDkSG7DfYx+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Dynamically loads an assembly (POWERSHELL)

Steals credentials from Web Browsers

DONUTLOADER has been detected (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Bypass execution policy to execute commands

Uses base64 encoding (POWERSHELL)

Possible stealing of messenger data

Possible stealing from crypto wallets

Possible stealing of VPN data

Possible stealing of FTP data

Possible stealing of email data

Possible stealing from browsers

Possible stealing from password managers

Possible stealing from 2fa

Multiple wallet extension IDs have been found

INFO

Creates a byte array (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Converts byte array into Unicode string (POWERSHELL)

Gets data length (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings