File name:

92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe

Full analysis: https://app.any.run/tasks/d8c13ce0-fa4e-4487-ad2d-44a808c199f6
Verdict: Malicious activity
Analysis date: August 02, 2025, 01:48:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

64955BA699EA85BD8013D008A8F33B4B

SHA1:

02E84BFD99D885A203C6EF3AC03500FB9CF9D2EA

SHA256:

92F6380A349EB34A830D1D7E7B1B5EC2D7DEBC632FAE980EB2746C14366A736F

SSDEEP:

98304:EuBftSXNj+NM2bm5JcxboHf2ZCDdLc3LVd4Z/c5GdgCB2hgvRzpg5fVBIqtsNBML:hWIyxq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Detected use of alternative data streams (AltDS)

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Drops 7-zip archiver for unpacking

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Executable content was dropped or overwritten

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

  • INFO

    • Checks supported languages

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)
      • 7z.exe (PID: 2716)

    • Reads the computer name

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • The sample compiled with chinese language support

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Reads mouse settings

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • The sample compiled with english language support

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Create files in a temporary directory

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • The process uses AutoIt

      • 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe (PID: 1100)

    • Checks proxy server information

      • slui.exe (PID: 7044)

    • Reads the software policy settings

      • slui.exe (PID: 7044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:26 02:29:38+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 570880
InitializedDataSize: 2369024
UninitializedDataSize: -
EntryPoint: 0x25f74
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.21.328
ProductVersionNumber: 7.0.21.315
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 7.0.21.0328
Comments: 深度技术-装机大师
FileDescription: 深度技术_网络维护系统,方便安全快捷高效!
ProductVersion: 7.0.21.0315
LegalCopyright: Copyright 2018-2021 PEoss, All Rights Reserved.
ProductName: 深度技术装机大师
LegalTrademarks: 深度技术装机大师
OriginalFileName: sdxitong.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe 7z.exe no specs conhost.exe no specs slui.exe 92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1100"C:\Users\admin\Desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe" C:\Users\admin\Desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
深度技术_网络维护系统,方便安全快捷高效!
Version:
7.0.21.0328
Modules
Images
c:\users\admin\desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2716C:\Users\admin\AppData\Local\Temp\xh_dtpjeiy.\7z.exe x "C:\Users\admin\Desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe" -y -o"C:\Users\admin\AppData\Local\Temp\xh_dtpjeiy."C:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\7z.exe92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
2
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\xh_dtpjeiy\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6508"C:\Users\admin\Desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe" C:\Users\admin\Desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
深度技术_网络维护系统,方便安全快捷高效!
Exit code:
3221226540
Version:
7.0.21.0328
Modules
Images
c:\users\admin\desktop\92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7044C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 876
Read events
3 876
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
36
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\images\bg.jpgimage
MD5:16264DE8792D0F674EA0E81574BD0C1E
SHA256:16F39D0E75DF77B08CE2A8D5BB104AC3E7D9EDD9FC8B88AC188D6C001A5C7C22
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\autDB58.tmpbinary
MD5:3BB3F5324B757E8CAE7C06B7998D49AD
SHA256:2367FFD71171EE34C535E843BAC01CCE93AA788184C7DF51BE0B2391095136E6
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\7z.exeexecutable
MD5:FF7A6F30A05959C05CA54D47BEBB28B8
SHA256:29717709356C1C1C28339D80C97F202AB00D2D42B7E16296E5E7456056B7BB84
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\autDB48.tmpbinary
MD5:9EC1AE050F4E62379645DEB9505DADF7
SHA256:C5BE51C3EF712A697FCFA6DD6D8993B07E30BB324C7626D88B847F3883641D30
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\images\1_Mode4_1.jpgimage
MD5:9F8F686AD36B908A485DD875F05E4BC8
SHA256:79A8A8D5049BC931AECE1C64B102C0170D30DDA8BD8208ACAF88EED74FFE7511
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\7z.dllexecutable
MD5:04AD4B80880B32C94BE8D0886482C774
SHA256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\xh_dtpjeiy\images\Min_1.jpgimage
MD5:705CEFCD90E95AB5DB12E9C26BC15BF2
SHA256:39E5F28BE2EFDF027B07E6E9DD35E32D7794FC239DC3A7571E7B8CAED4997BF8
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\autDC06.tmpbinary
MD5:9E10B25B7F8D4B571176A79B67E05DAD
SHA256:A1AF7522E4B71F5EFF96B0199D1E2860A5FEE89F4D3108297D73C10F027E837F
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\autDC07.tmpbinary
MD5:C1DEA3D5E657BDB2FB31DD8AEC362FF6
SHA256:90D27FE606D9CB74D6BEF68136EABAFD211D1FD13B639FEC9EFD130DC2AA25F3
110092f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exeC:\Users\admin\AppData\Local\Temp\autDC39.tmpbinary
MD5:566E4E9D3DE03BA45EAE3B47BD71FD55
SHA256:F98725FBE65FEF38992A552ACAC70C5D33841927D8763EE98A0BAC94A334DA87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1100
92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe
GET
200
185.106.177.142:80
http://xiaohei.xiuchufang.com/config.txt
unknown
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
6160
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3960
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3960
RUXIMICS.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.3.109.244
whitelisted
xiaohei.xiuchufang.com
  • 185.106.177.142
unknown
self.events.data.microsoft.com
  • 20.50.201.201
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.67
  • 20.190.160.128
  • 20.190.160.5
  • 40.126.32.133
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
92f6380a349eb34a830d1d7e7b1b5ec2d7debc632fae980eb2746c14366a736f.exe