File name:

gay.exe

Full analysis: https://app.any.run/tasks/52fcce1f-de9e-4164-be58-353b64dac41a
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:00:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

E2D123853B190265C36D16CF78F40B69

SHA1:

BA3C0A6C8DA60CB14A32D17564F03C7B54ACF1D0

SHA256:

4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22

SSDEEP:

98304:mlkP1Unva5OKSbAmTorzntGdMyk+AtBmkFyHqc6Xphr6j+P2TfgrHiQc6rlW8bHH:JFJ/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • gay.exe (PID: 2952)

    • Create files in the Startup directory

      • gay.exe (PID: 2952)

    • Uses Task Scheduler to run other applications

      • gay.exe (PID: 2952)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • gay.exe (PID: 2952)

    • Connects to unusual port

      • gay.exe (PID: 2952)

  • INFO

    • The sample compiled with english language support

      • gay.exe (PID: 2952)

    • Reads the machine GUID from the registry

      • gay.exe (PID: 2952)

    • Checks supported languages

      • gay.exe (PID: 2952)

    • Reads the computer name

      • gay.exe (PID: 2952)

    • Failed to create an executable file in Windows directory

      • gay.exe (PID: 2952)

    • Creates files or folders in the user directory

      • gay.exe (PID: 2952)

    • Launching a file from a Registry key

      • gay.exe (PID: 2952)

    • Launching a file from the Startup directory

      • gay.exe (PID: 2952)

    • Checks proxy server information

      • slui.exe (PID: 2808)

    • Reads the software policy settings

      • slui.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2080:02:20 09:36:36+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 4305920
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.3.4.4
ProductVersionNumber: 4.3.4.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: aazko8pfeqwto
ProductName: aazko8pfeqwto
ProductVersion: 4.3.4.4
LegalCopyright: aazko8pfeqwto
OriginalFileName: aazko8pfeqwto.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gay.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2280"schtasks" /create /tn "Psched" /tr "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\HwNClx0101\volsnap\W32Time\kbldfltr.exe" /sc MINUTE /mo 15 /ru "SYSTEM" /rl HIGHESTC:\Windows\System32\schtasks.exegay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2808C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2952"C:\Users\admin\Desktop\gay.exe" C:\Users\admin\Desktop\gay.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
aazko8pfeqwto
Modules
Images
c:\users\admin\desktop\gay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4012"schtasks" /create /tn "VacSvc" /tr "C:\Users\admin\Documents\stexstor\Npfs\WindowsTrustedRTProxy.exe" /sc MINUTE /mo 15 /ru "SYSTEM" /rl HIGHESTC:\Windows\System32\schtasks.exegay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 375
Read events
4 372
Write events
3
Delete events
0

Modification events

(PID) Process:(2952) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WwanSvc
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\spaceport\msiserver\HTTP.exe"
(PID) Process:(2952) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AssignedAccessManagerSvc
Value:
"C:\Users\admin\EntAppSvc\UserDataSvc_386be\hidi2c.exe"
(PID) Process:(2952) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\F8129A35CB0B2583252ADC9C82B26740
Operation:writeName:7ACC172CD44DDC99962B58A669E06C2C
Value:
4OuI6Qwk7jgMaeWhuw1a0Ww/gk3Mdx5ojSjQXQlv2Oc=
Executable files
18
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2952gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\spaceport\msiserver\HTTP.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
2952gay.exeC:\Users\admin\Documents\stexstor\Npfs\RCX9501.tmpexecutable
MD5:09AC9868C87662EBA8A05B189620C568
SHA256:0F758513EA463ADC928EAD9E07BB3293E6098A63CE90D53AD7D2B4FC7E316AD2
2952gay.exeC:\Users\admin\EntAppSvc\UserDataSvc_386be\hidi2c.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
2952gay.exeC:\Users\admin\Dhcp\FrameServer\OneSyncSvc_386be.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
2952gay.exeC:\Users\admin\Documents\HidUsb\PptpMiniport\RCX8B0C.tmpexecutable
MD5:44C515A484E6FC92D36EC8337B833DB6
SHA256:E9F29F650D1B013720FCF671BBFBFA59E77751785229C9EE805B6BFD2F2D6CB0
2952gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJRouter.lnkbinary
MD5:47D5EB24A0D9D84510D90DE3ADC0B4C1
SHA256:6AAFF423B0E789C277C838A3E8EB50C0EDFC28C8B9A77D8224C00FFF5459F91F
2952gay.exeC:\Users\admin\Dhcp\FrameServer\RCX85CC.tmpexecutable
MD5:74EB6E51FBBC5E9CF73D6105D2E6588E
SHA256:6EC6F43B052E4B0ABF01DADD9361E645295D5E5496B6B46237010E3589BD4AD4
2952gay.exeC:\Users\admin\Documents\HidUsb\PptpMiniport\autotimesvc.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
2952gay.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\HwNClx0101\volsnap\W32Time\kbldfltr.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
2952gay.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\HwNClx0101\volsnap\W32Time\RCX907C.tmpexecutable
MD5:A40540B7DEA47D1AA5C28C9FD215D172
SHA256:E0C405FA31F45A9D5E87E49E6265EF1322C154B178EA9F4D975B2484D6F80C97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
43
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4456
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4456
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4456
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4456
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4456
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
  • 184.24.77.8
  • 184.24.77.11
  • 184.24.77.16
  • 184.24.77.14
  • 184.24.77.24
  • 184.24.77.19
  • 184.24.77.9
  • 184.24.77.10
  • 184.24.77.17
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.66
  • 40.126.32.74
  • 20.190.160.131
  • 20.190.160.65
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.130
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gay.exe