File name:	a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe
Full analysis:	https://app.any.run/tasks/7cfb1bfb-1b6b-45bc-95a8-90f969334549
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Malware Trends Tracker >>>
Analysis date:	October 03, 2025, 17:00:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sfuzuan backdoor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	268F2F103B6EA2D9D6BD5E36A0BF2E3D
SHA1:	0FFFCF4A1A4EA0055865BEF6EE1E85DC7FE0623E
SHA256:	A2EA11C10050523B9C1D3BBD4C2445E5ABDBB3084F212B30078B36A53A9F9B21
SSDEEP:	6144:EJ1nGDwv1tjCtJQVXNY1gFrkcLezOOrTUrW6Ov03lWCjw0FSP1RDnRseya5Iv06F:RU74E9YGRj5OrTUrXWt00LmemdYs7Z

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:02:15 07:13:55+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	145408
InitializedDataSize:	236544
UninitializedDataSize:	-
EntryPoint:	0x1317f
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	23.9.20.1611
ProductVersionNumber:	23.9.20.1611
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	23, 9, 20, 1611
ProductVersion:	23, 9, 20, 1611


(PID) Process:	(5212) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5212) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5212) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5212) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(532) 7c592a66	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(532) 7c592a66	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(532) 7c592a66	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7076) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7076) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7076) a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
7076	a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	C:\Windows\SysWOW64\7c592a66		executable
		MD5:0DAD61BDAA9663447FF8898EE4FCB28D	SHA256:3C67EA844F74FBD31F64587C854B795923EAA648F8B22E1939586C09F6DF7511
7076	a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	C:\Windows\7924c8		text
		MD5:B85029326A9028000722AE3BA831569D	SHA256:C6C4D490884D91AF60246DE2794216CDD90EA795ED42825AF2026325DD5D16A8
532	7c592a66	C:\Windows\91ba8		text
		MD5:0B92AB5A7C087E9BBD7C7D51B3C9E53C	SHA256:A418A6FAB0664AD0C93A934C1DBE79D1CE9B76D9E7CB53173BCF3416C9D41FB4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
532	7c592a66	GET	200	223.5.5.5:80	http://dns.alidns.com/resolve?name=down.nugong.asia&type=1	CN	binary	257 b	whitelisted
—	—	GET	200	223.5.5.5:443	https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16	CN	binary	253 b	unknown
—	—	GET	200	223.5.5.5:443	https://dns.alidns.com/resolve?name=down.nugong.asia&type=1	CN	binary	257 b	unknown
532	7c592a66	GET	200	223.5.5.5:80	http://223.5.5.5/resolve?name=down.nugong.asia&type=1	CN	binary	257 b	whitelisted
532	7c592a66	GET	200	223.5.5.5:80	http://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16	CN	binary	255 b	whitelisted
532	7c592a66	GET	200	223.5.5.5:80	http://dns.alidns.com/resolve?name=spi2.tyui54345.xyz&type=16	CN	binary	255 b	whitelisted
—	—	GET	200	223.5.5.5:443	https://dns.alidns.com/resolve?name=spi2.tyui54345.xyz&type=16	CN	binary	253 b	unknown
532	7c592a66	GET	200	223.5.5.5:80	http://223.5.5.5/resolve?name=spi1.tyui54345.xyz&type=16	CN	binary	255 b	whitelisted
532	7c592a66	GET	200	223.5.5.5:80	http://223.5.5.5/resolve?name=spi2.tyui54345.xyz&type=16	CN	binary	255 b	whitelisted
532	7c592a66	GET	200	223.5.5.5:80	http://dns.alidns.com/resolve?name=spi3.tyui54345.xyz&type=16	CN	binary	255 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2280	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.204.158:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
532	7c592a66	223.5.5.5:443	dns.alidns.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	whitelisted
5948	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
532	7c592a66	223.5.5.5:80	dns.alidns.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	whitelisted
7076	a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe	223.5.5.5:443	dns.alidns.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
www.bing.com	2.16.204.158 2.16.204.157 2.16.204.152 2.16.204.148 2.16.204.150 2.16.204.160 2.16.204.153 2.16.204.149 2.16.204.156	whitelisted
google.com	142.250.185.238	whitelisted
down.nugong.asia	—	unknown
dns.alidns.com	223.5.5.5 223.6.6.6	whitelisted
down.xy58.top	—	unknown
31bd9b27a24e0be9.tyui54345.xyz	—	unknown
yzzcommon.tyui54345.xyz	—	unknown
activation-v2.sls.microsoft.com	4.154.185.43	whitelisted
31bd9b27a24e0be9.zxcv56745.xyz	—	unknown

PID	Process	Class	Message
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
532	7c592a66	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)

General Info

a2ea11c10050523b9c1d3bbd4c2445e5abdbb3084f212b30078b36a53a9f9b21.exe

268F2F103B6EA2D9D6BD5E36A0BF2E3D

0FFFCF4A1A4EA0055865BEF6EE1E85DC7FE0623E

A2EA11C10050523B9C1D3BBD4C2445E5ABDBB3084F212B30078B36A53A9F9B21

6144:EJ1nGDwv1tjCtJQVXNY1gFrkcLezOOrTUrW6Ov03lWCjw0FSP1RDnRseya5Iv06F:RU74E9YGRj5OrTUrXWt00LmemdYs7Z

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SFUZUAN mutex has been found

Connects to the CnC server

SFUZUAN has been detected (SURICATA)

SUSPICIOUS

Executes as Windows Service

Reads the date of Windows installation

Application launched itself

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

INFO

The sample compiled with chinese language support

Reads the computer name

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings