File name:

gay.exe

Full analysis: https://app.any.run/tasks/601dbad7-e5a7-4beb-882e-17a3a226544b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 10:57:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
auto-startup
loader
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

E2D123853B190265C36D16CF78F40B69

SHA1:

BA3C0A6C8DA60CB14A32D17564F03C7B54ACF1D0

SHA256:

4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22

SSDEEP:

98304:mlkP1Unva5OKSbAmTorzntGdMyk+AtBmkFyHqc6Xphr6j+P2TfgrHiQc6rlW8bHH:JFJ/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • gay.exe (PID: 6652)

    • Changes the autorun value in the registry

      • gay.exe (PID: 6652)

    • Create files in the Startup directory

      • gay.exe (PID: 6652)

  • SUSPICIOUS

    • Connects to unusual port

      • gay.exe (PID: 6652)

    • Potential Corporate Privacy Violation

      • gay.exe (PID: 6652)

    • Process requests binary or script from the Internet

      • gay.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)

    • Reads security settings of Internet Explorer

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)

    • Reads the date of Windows installation

      • gay.exe (PID: 6652)

    • Executing commands from a ".bat" file

      • kokipopi.exe (PID: 5008)

    • Starts CMD.EXE for commands execution

      • kokipopi.exe (PID: 5008)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5720)

    • Checks for external IP

      • tmpCAE1.tmp.exe (PID: 5372)
      • svchost.exe (PID: 2200)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 2760)

  • INFO

    • Reads the computer name

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)
      • tmpCAE1.tmp.exe (PID: 5372)

    • Checks supported languages

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)
      • tmpCAE1.tmp.exe (PID: 5372)

    • The sample compiled with english language support

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)

    • Checks proxy server information

      • gay.exe (PID: 6652)
      • tmpCAE1.tmp.exe (PID: 5372)
      • slui.exe (PID: 5244)

    • Disables trace logs

      • gay.exe (PID: 6652)
      • tmpCAE1.tmp.exe (PID: 5372)

    • Reads Environment values

      • gay.exe (PID: 6652)

    • Create files in a temporary directory

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)

    • Reads the machine GUID from the registry

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)
      • tmpCAE1.tmp.exe (PID: 5372)

    • Launching a file from a Registry key

      • gay.exe (PID: 6652)

    • Process checks computer location settings

      • gay.exe (PID: 6652)
      • kokipopi.exe (PID: 5008)

    • Reads the software policy settings

      • slui.exe (PID: 5244)

    • Creates files or folders in the user directory

      • gay.exe (PID: 6652)

    • Launching a file from the Startup directory

      • gay.exe (PID: 6652)

    • Failed to create an executable file in Windows directory

      • gay.exe (PID: 6652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2080:02:20 09:36:36+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 4305920
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.3.4.4
ProductVersionNumber: 4.3.4.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: aazko8pfeqwto
ProductName: aazko8pfeqwto
ProductVersion: 4.3.4.4
LegalCopyright: aazko8pfeqwto
OriginalFileName: aazko8pfeqwto.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
15
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start gay.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe kokipopi.exe tmpcae1.tmp.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728"schtasks" /create /tn "RasAcd" /tr "C:\Users\admin\ufxsynopsys\VerifierExt\DoSvc.exe" /sc MINUTE /mo 15 /ru "SYSTEM" /rl HIGHESTC:\Windows\System32\schtasks.exegay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2120"schtasks" /create /tn "vwifibus" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ws2ifsl\NcaSvc\ndfltr.exe" /sc MINUTE /mo 15 /ru "SYSTEM" /rl HIGHESTC:\Windows\System32\schtasks.exegay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2760"schtasks" /create /tn "Sense" /tr "C:\Users\Public\Documents\intelpmax\ProfSvc\TieringEngineService\hidi2c.exe" /sc MINUTE /mo 15 /ru "SYSTEM" /rl HIGHESTC:\Windows\System32\schtasks.exegay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmpCAE1.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5008"C:\Users\admin\AppData\Local\Temp\kokipopi.exe" C:\Users\admin\AppData\Local\Temp\kokipopi.exe
gay.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RasAgileVpn
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kokipopi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5372"C:\Users\admin\AppData\Local\Temp\tmpCAE1.tmp.exe" C:\Users\admin\AppData\Local\Temp\tmpCAE1.tmp.exe
kokipopi.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WlanSvc
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmpcae1.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\8ce041b6-54db-49ef-a93a-54ceb06cfd02.bat" "C:\Windows\SysWOW64\cmd.exekokipopi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 336
Read events
4 302
Write events
34
Delete events
0

Modification events

(PID) Process:(6652) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:usbccgp
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\MSPCLOCK\cht4vbd\WFPLWFS\i8042prt.exe"
(PID) Process:(6652) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NDKPing
Value:
"C:\Users\admin\Documents\UrsSynopsys\EFS\luafv.exe"
(PID) Process:(6652) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Winmgmt
Value:
"C:\Users\admin\Videos\UdeCx\MsSecWfp\HdAudAddService.exe"
(PID) Process:(6652) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\F8129A35CB0B2583252ADC9C82B26740
Operation:writeName:7ACC172CD44DDC99962B58A669E06C2C
Value:
4OuI6Qwk7jgMaeWhuw1a0Ww/gk3Mdx5ojSjQXQlv2Oc=
(PID) Process:(6652) gay.exeKey:HKEY_CURRENT_USER\SOFTWARE\F8129A35CB0B2583252ADC9C82B26740
Operation:writeName:F21A208E2E98FFCA3EA4217D6E0F78EE
Value:
F7lyg3uYPPrf50IdBvTJwEP7MOeGUuiXzOCZ/ijkQlKFjHy3xIwZ5DXuScX3iVYHVWVVgt0ekuEZRKuKzhvz9w==
(PID) Process:(6652) gay.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\gay_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6652) gay.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\gay_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6652) gay.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\gay_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6652) gay.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\gay_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6652) gay.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\gay_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
29
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6652gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\MSPCLOCK\cht4vbd\WFPLWFS\RCX6021.tmpexecutable
MD5:32BEB204A97D7BB5628DE56CC1C0463B
SHA256:8A4DF899F0C5310B6E121A916629164C534010ACF1DEC3A3F96AD84F9546168C
6652gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\MSPCLOCK\cht4vbd\WFPLWFS\i8042prt.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
6652gay.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn\DispBrokerDesktopSvc\storflt\AcpiPmi\amdsata.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
6652gay.exeC:\Users\admin\Videos\UdeCx\MsSecWfp\RCX6C97.tmpexecutable
MD5:FE23292871F6A43F5571600E58BFBFB6
SHA256:733A802D24E4F4DA3695EB87CFBCD1774FC249FEE8343EE0C8815FF4AE93AA55
6652gay.exeC:\Users\admin\Pictures\percsas3i\AppID\UrsChipidea\RCX8531.tmpexecutable
MD5:6BDAB84D890B578179765B91B2BDF939
SHA256:1DD9C64D036417C356E7AC94DF0922309E5878EE6AF43C70FB008896393DB7A0
6652gay.exeC:\Users\admin\Documents\UrsSynopsys\EFS\luafv.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
6652gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagnosticshub.standardcollector.service.lnkbinary
MD5:999F15C7C413D1F4FC7BF5AE37B120B8
SHA256:B1A464A79F2475AF9CDBC2AECCE11AE3626DF18F205F5D9472C83BA10EB561F5
6652gay.exeC:\Users\admin\Videos\UdeCx\MsSecWfp\HdAudAddService.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
6652gay.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn\DispBrokerDesktopSvc\storflt\AcpiPmi\RCX7FA3.tmpexecutable
MD5:EF8CFE3D4D0B0BC8D3F52C477D4C5862
SHA256:02F8E2EEF94E93A9F5C4869FFC614921FC95A10DD6800BE536492AD8FEAE291A
6652gay.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ws2ifsl\NcaSvc\ndfltr.exeexecutable
MD5:E2D123853B190265C36D16CF78F40B69
SHA256:4112C94DD0FAB5E17529313038159C0784F671710B0518E5442604035AE22E22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
29
DNS requests
16
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6652
gay.exe
GET
89.23.98.243:80
http://hamster-exchange.top/1.exe
unknown
malicious
4168
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2808
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5372
tmpCAE1.tmp.exe
POST
200
89.23.98.243:8080
http://89.23.98.243:8080/74db120f0a8e5646ef5a30154e9f6deb
unknown
unknown
5372
tmpCAE1.tmp.exe
GET
200
89.23.98.243:8080
http://89.23.98.243:8080/632c9594449737188c71ee1c8534f893
unknown
unknown
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
5372
tmpCAE1.tmp.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2808
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.31:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3876
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4168
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4168
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6652
gay.exe
89.23.98.243:32
hamster-exchange.top
LLC Smart Ape
RU
unknown
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.1
  • 20.190.159.130
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.68
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 184.24.77.31
  • 184.24.77.22
  • 184.24.77.27
  • 184.24.77.24
  • 184.24.77.19
  • 184.24.77.17
  • 184.24.77.18
  • 184.24.77.15
  • 184.24.77.23
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
hamster-exchange.top
  • 89.23.98.243
malicious
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
6652
gay.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
6652
gay.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
6652
gay.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
6652
gay.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
6652
gay.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6652
gay.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
6652
gay.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5372
tmpCAE1.tmp.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gay.exe