File name:

91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe

Full analysis: https://app.any.run/tasks/98df56aa-7987-40a2-b26e-c52e0f271fab
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: October 12, 2025, 03:41:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sfuzuan
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D4E2D54A94352E1B1853812FBF07FF67

SHA1:

1037418C66B3BCBCFE41749D5CDF27EBE25D7A7B

SHA256:

91431906705B34A7C134810830984E1A33CF05A65F664132895CC7E3CD91124A

SSDEEP:

6144:cJ1nGDwv1tjCtJQVXNY1gFrkcLezOOrTUrW6Ov03lWCjw0FSP1RDnRseya5Iv06F:ZU74E9YGRj5OrTUrXWt00LmemdYs7Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SFUZUAN mutex has been found

      • d885db4c (PID: 8676)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)

    • SFUZUAN has been detected (SURICATA)

      • svchost.exe (PID: 2428)

    • Connects to the CnC server

      • svchost.exe (PID: 2428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)
      • d885db4c (PID: 8676)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)

    • Application launched itself

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)

    • Executable content was dropped or overwritten

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)

    • Executes as Windows Service

      • d885db4c (PID: 8676)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2428)

  • INFO

    • The sample compiled with chinese language support

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)

    • Checks supported languages

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)
      • d885db4c (PID: 8676)

    • Reads the computer name

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)
      • d885db4c (PID: 8676)

    • Process checks computer location settings

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8448)

    • Reads the software policy settings

      • d885db4c (PID: 8676)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)
      • slui.exe (PID: 9108)

    • Reads the machine GUID from the registry

      • d885db4c (PID: 8676)
      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)

    • Checks proxy server information

      • 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe (PID: 8644)
      • slui.exe (PID: 9108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:22 19:03:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe no specs #SFUZUAN 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe #SFUZUAN d885db4c #SFUZUAN svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2428C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
8448"C:\Users\admin\Desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe" C:\Users\admin\Desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8644"C:\Users\admin\Desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe" C:\Users\admin\Desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe
91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8676C:\Windows\Syswow64\d885db4cC:\Windows\SysWOW64\d885db4c
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\d885db4c
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
9108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
12 186
Read events
12 183
Write events
3
Delete events
0

Modification events

(PID) Process:(8644) 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8644) 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8644) 91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
864491431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeC:\Windows\93fd08text
MD5:DFC2242556B61630E73393953A39A298
SHA256:2055DBFDC47EBAF2F881BB1E97EB6AD51F728C7ECB17BA37BC15B826D94962C4
864491431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exeC:\Windows\SysWOW64\d885db4cexecutable
MD5:8101B1E24E8F8C12165A42A75FD7EC99
SHA256:7A65A0419110FA1400F4E645BD20C31E1E89C9F503863113AA5E88A662277652
8676d885db4cC:\Windows\948948text
MD5:6DB9C95E5D2010AE861628FE6FDB5E0B
SHA256:23118BF75751BA0BE0FB9105D68A3CE93FDAADFE692464AD388A962F343B5D2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
259
TCP/UDP connections
357
DNS requests
53
Threats
92

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
unknown
8676
d885db4c
GET
200
223.6.6.6:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
CN
binary
255 b
unknown
8676
d885db4c
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=spi2.tyui54345.xyz&type=16
CN
binary
255 b
unknown
8676
d885db4c
GET
200
223.6.6.6:80
http://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
CN
binary
255 b
whitelisted
8676
d885db4c
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=spi1.tyui54345.xyz&type=16
CN
binary
255 b
whitelisted
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi3.tyui54345.xyz&type=16
CN
binary
255 b
unknown
8676
d885db4c
GET
200
223.6.6.6:80
http://dns.alidns.com/resolve?name=spi2.tyui54345.xyz&type=16
CN
binary
255 b
whitelisted
8676
d885db4c
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=spi2.tyui54345.xyz&type=16
CN
binary
255 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7556
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.11.206.99:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
8676
d885db4c
223.6.6.6:443
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted
5948
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8676
d885db4c
223.6.6.6:80
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted
8676
d885db4c
223.5.5.5:443
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted
8676
d885db4c
223.5.5.5:80
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 23.11.206.99
  • 23.3.89.113
  • 23.11.206.98
  • 23.11.206.107
whitelisted
google.com
  • 142.250.186.110
whitelisted
down.nugong.asia
unknown
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
down.xy58.top
unknown
31bd9b27a24e0be9.tyui54345.xyz
unknown
yzzcommon.tyui54345.xyz
unknown
31bd9b27a24e0be9.zxcv56745.xyz
unknown
yzzcommon.zxcv56745.xyz
unknown

Threats

PID
Process
Class
Message
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
8676
d885db4c
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
8676
d885db4c
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
91431906705b34a7c134810830984e1a33cf05a65f664132895cc7e3cd91124a.exe