File name:

45.exe

Full analysis: https://app.any.run/tasks/d8b4f248-71df-4547-8c95-a115fa7c0539
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 19, 2025, 11:47:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
njrat
bladabindi
remote
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

F89536A4B72B3496B8D2F9633E5F66F8

SHA1:

D06854C8D19D8A006D425F46461DC285B9788AB0

SHA256:

173B07A56092E7521F6EA170EF53F3AC424AFC6B7F02CD54D76BEA3CA59EFE48

SSDEEP:

768:nsP4vTdhRIsSPCjR84iTgb7t7STL7E2rGn/yWY6gQSVCHpEq9WiajVQNPl1Rz4Rl:s22Kt7t26tJ8VCHKuZl1dD2STzP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 812)
      • net.exe (PID: 4868)
      • net.exe (PID: 4724)
      • cmd.exe (PID: 5988)
      • net.exe (PID: 5640)
      • net.exe (PID: 7104)
      • net.exe (PID: 4572)
      • net.exe (PID: 3884)
      • net.exe (PID: 2960)
      • net.exe (PID: 3028)
      • net.exe (PID: 5512)
      • net.exe (PID: 3620)
      • net.exe (PID: 3124)
      • net.exe (PID: 6624)
      • net.exe (PID: 920)
      • net.exe (PID: 3836)
      • net.exe (PID: 4608)
      • net.exe (PID: 6152)
      • net.exe (PID: 6948)
      • net.exe (PID: 2020)

    • Connects to the CnC server

      • 45.exe (PID: 5176)

    • NJRAT has been detected (SURICATA)

      • 45.exe (PID: 5176)

    • NJRAT has been detected (YARA)

      • 45.exe (PID: 5176)

  • SUSPICIOUS

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • 45.exe (PID: 5176)

    • Contacting a server suspected of hosting an CnC

      • 45.exe (PID: 5176)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 856)
      • cmd.exe (PID: 6132)

    • Executing commands from a ".bat" file

      • 45.exe (PID: 5176)

    • Starts CMD.EXE for commands execution

      • 45.exe (PID: 5176)

    • The system shut down or reboot

      • cmd.exe (PID: 3008)

    • Reads security settings of Internet Explorer

      • 45.exe (PID: 5176)

    • Connects to unusual port

      • 45.exe (PID: 5176)

  • INFO

    • Reads the computer name

      • 45.exe (PID: 5176)

    • Creates files or folders in the user directory

      • 45.exe (PID: 5176)

    • Checks supported languages

      • 45.exe (PID: 5176)

    • Reads the machine GUID from the registry

      • 45.exe (PID: 5176)

    • Create files in a temporary directory

      • 45.exe (PID: 5176)

    • Process checks computer location settings

      • 45.exe (PID: 5176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(5176) 45.exe
C2result-disco.gl.at.ply.gg
Ports57385
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\7282d1d924e8cee4c72c6feda92f7a0f
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:19 11:39:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 94208
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0x18f1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
56
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT 45.exe netsh.exe no specs conhost.exe no specs svchost.exe slui.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs shutdown.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240C:\WINDOWS\system32\net1 user Yougetdestoryed /ADDC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
660C:\WINDOWS\system32\net1 user Yougetdestoryed /ADDC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
812net user Yougetdestoryed /ADDC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
856C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp5C92.tmp.BAT" "C:\Windows\SysWOW64\cmd.exe45.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
920net user Yougetdestoryed /ADDC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
976C:\WINDOWS\system32\net1 user Yougetdestoryed /ADDC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1040C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp5C82.tmp.BAT" "C:\Windows\SysWOW64\cmd.exe45.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1116C:\WINDOWS\system32\net1 user Yougetdestoryed /ADDC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1176C:\WINDOWS\system32\net1 user Yougetdestoryed /ADDC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
2 183
Read events
2 182
Write events
1
Delete events
0

Modification events

(PID) Process:(5176) 45.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
Executable files
0
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
517645.exeC:\Users\admin\AppData\Roaming\apptext
MD5:2099BB64FD1770D321DF364F99B658D1
SHA256:D53CE6BDBD0C3CB4596AC3103F15824570A9858DA95F63CEDF64CEC11DC44E2D
517645.exeC:\Users\admin\AppData\Local\Temp\tmp5C42.tmp.BATtext
MD5:1CBC3A2F81D4259E3BF61249711FEC81
SHA256:6A207F770478D59DA0D2AA43A9719EF05B3F85C8C700400746CA3AB0463D08F0
517645.exeC:\Users\admin\AppData\Local\Temp\tmp5C92.tmp.BATtext
MD5:94070806E01C1AE7FE2AAE46D929387A
SHA256:4F553023C9FDFEA5F806C86D6BDD40D94348843D4A4EFD91DC952A53229A4358
517645.exeC:\Users\admin\AppData\Local\Temp\tmp5CA3.tmp.BATtext
MD5:456C3E1669D900EBE41355349DEB28E0
SHA256:E4125F396993EA0876F3FFA9BFFC46134DD20D7C8E4D077DDADEE67B6CA33ABE
517645.exeC:\Users\admin\AppData\Local\Temp\tmp3E1A.tmp.BATtext
MD5:94070806E01C1AE7FE2AAE46D929387A
SHA256:4F553023C9FDFEA5F806C86D6BDD40D94348843D4A4EFD91DC952A53229A4358
517645.exeC:\Users\admin\AppData\Local\Temp\tmp5C82.tmp.BATtext
MD5:AB45B6913751E20D60D6C9A44A229A66
SHA256:71385E3FB017BB452466AB1AD8764950C14A7AF856D0EE8C147CF8F7F073B2EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
22
DNS requests
5
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5176
45.exe
147.185.221.26:57385
result-disco.gl.at.ply.gg
PLAYIT-GG
US
malicious
2384
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
result-disco.gl.at.ply.gg
  • 147.185.221.26
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
5176
45.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
5176
45.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
5176
45.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
45.exe