File name:

bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe

Full analysis: https://app.any.run/tasks/1668aa62-5a30-422b-8aea-5246138a7eda
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 17:11:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sufuzan
backdoor
upx
sfuzuan
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 5 sections
MD5:

BB8B0C9E9180D0908674EFCF0599D719

SHA1:

4543A902EF9EA0453EC48CFD7DE570396E4ED37D

SHA256:

BCBEC258D2BEEE030D3FE8E010FF516534D1E2CFF874776E47247EF13E5A31E2

SSDEEP:

98304:/CaSg767sYTVXo1R3t+0L9jJv/WQcbNdFZMjHfG/kRzg7gmsCQYEqZdOt+0z7:TmFZMjHfD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SUFUZAN mutex has been found

      • 5c770706 (PID: 892)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • SFUZUAN has been detected (SURICATA)

      • svchost.exe (PID: 2200)

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)
      • 5c770706 (PID: 892)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • Application launched itself

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • Executes as Windows Service

      • 5c770706 (PID: 892)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)

  • INFO

    • Reads the computer name

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)
      • 5c770706 (PID: 892)

    • Process checks computer location settings

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)

    • The sample compiled with chinese language support

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • Checks supported languages

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)
      • 5c770706 (PID: 892)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2716)

    • Reads the software policy settings

      • 5c770706 (PID: 892)
      • slui.exe (PID: 4224)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • UPX packer has been detected

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)
      • 5c770706 (PID: 892)

    • Reads the machine GUID from the registry

      • 5c770706 (PID: 892)
      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)

    • Checks proxy server information

      • bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe (PID: 2728)
      • slui.exe (PID: 4224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:21 07:44:07+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 143360
InitializedDataSize: 139264
UninitializedDataSize: 274432
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe no specs #SUFUZAN bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe #SUFUZAN 5c770706 #SFUZUAN svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
892C:\Windows\Syswow64\5c770706C:\Windows\SysWOW64\5c770706
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\5c770706
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2716"C:\Users\admin\Desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe" C:\Users\admin\Desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2728"C:\Users\admin\Desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe" C:\Users\admin\Desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe
bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4224C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
12 011
Read events
12 008
Write events
3
Delete events
0

Modification events

(PID) Process:(2728) bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2728) bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2728) bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2728bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeC:\Windows\SysWOW64\5c770706executable
MD5:BCA6825374A2BB97266DF5F6B1210C72
SHA256:C59F39CC3C7359B6C389F0B81D107ED1D42E02C4BDFB86D0F0440DE694B3E21B
8925c770706C:\Windows\f4578text
MD5:796F2F30B22AB2541CD991C8E58F69C3
SHA256:03756475082F626AA267D4E8C9F29D9E68FEA794BDD13038C9698489CFA96E2C
2728bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exeC:\Windows\2eb450text
MD5:8AC85579B15B91387C3953EE06F72CA6
SHA256:4059205D4F44A7187D90E0825A70F615325DF161988B806FAF9077E450C49497
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
256
TCP/UDP connections
341
DNS requests
60
Threats
78

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.164.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1268
svchost.exe
GET
200
2.16.164.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
2528
RUXIMICS.exe
GET
200
2.16.164.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2528
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.73:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.16.164.73:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2528
RUXIMICS.exe
2.16.164.73:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4800
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.164.73
  • 2.16.164.74
  • 2.16.164.66
  • 2.16.164.98
  • 2.16.164.72
  • 2.16.164.27
  • 2.16.164.96
  • 2.16.164.25
  • 2.16.164.33
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
down.nugong.asia
unknown
login.live.com
  • 20.190.160.67
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.4
  • 40.126.32.134
  • 20.190.160.2
  • 20.190.160.132
whitelisted
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
down.xy58.top
unknown
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
892
5c770706
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bcbec258d2beee030d3fe8e010ff516534d1e2cff874776e47247ef13e5a31e2.exe