File name:

RuntimeBroker.exe

Full analysis: https://app.any.run/tasks/0c16c475-7465-4e14-80e7-1c628b353679
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 15:16:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
njrat
bladabindi
remote
backdoor
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7D856CAB9FAF146BD64DB6E3B4250945

SHA1:

7C301D07CCFFFCB70C6A367D6285689640BBADD9

SHA256:

226933448C3C854B320702C200CBEA27BA19AA1D44D013E0749555398B8F6FC8

SSDEEP:

6144:tkGe3DdYltTjs0v0CbNLpcw25GUZfspEPZOlEYJx:tkh30tns0vrLIZfNPGEYJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • WmiPrvSE.exe (PID: 7404)
      • RuntimeBroker.exe (PID: 7452)

    • NJRAT has been detected (SURICATA)

      • RuntimeBroker.exe (PID: 7452)

    • Uses Task Scheduler to run other applications

      • WmiPrvSE.exe (PID: 7404)

    • Connects to the CnC server

      • RuntimeBroker.exe (PID: 7452)

    • Changes the autorun value in the registry

      • WmiPrvSE.exe (PID: 7404)

    • XWORM has been detected (SURICATA)

      • WmiPrvSE.exe (PID: 7404)

    • NJRAT has been detected (YARA)

      • RuntimeBroker.exe (PID: 7452)

    • XWORM has been detected (YARA)

      • WmiPrvSE.exe (PID: 7404)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • WmiPrvSE.exe (PID: 7404)

    • Contacting a server suspected of hosting an CnC

      • RuntimeBroker.exe (PID: 7452)
      • WmiPrvSE.exe (PID: 7404)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • RuntimeBroker.exe (PID: 7452)

    • Reads security settings of Internet Explorer

      • WmiPrvSE.exe (PID: 7404)

    • Connects to unusual port

      • RuntimeBroker.exe (PID: 7452)
      • WmiPrvSE.exe (PID: 7404)

  • INFO

    • Checks supported languages

      • RuntimeBroker.exe (PID: 7452)
      • WmiPrvSE.exe (PID: 7404)

    • Process checks computer location settings

      • WmiPrvSE.exe (PID: 7404)

    • Creates files or folders in the user directory

      • RuntimeBroker.exe (PID: 7452)
      • WmiPrvSE.exe (PID: 7404)

    • Autorun file from Startup directory

      • WmiPrvSE.exe (PID: 7404)
      • RuntimeBroker.exe (PID: 7452)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 7452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Processunknown
C2morning-ultimately.gl.at.ply.gg:14531
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexGNRHR6CNXKcizv8c

NjRat

(PID) Processunknown
C2morning-ultimately.gl.at.ply.gg
Ports14531
BotnetRuntimeBroker.exe
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a7508ccd4c60e6eaa0eb204481c3a0be
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:24 15:10:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 202752
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x336ce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: RuntimeBroker.exe
LegalCopyright:
OriginalFileName: RuntimeBroker.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
svchost.exe #XWORM wmiprvse.exe #NJRAT runtimebroker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7404"C:\Users\admin\AppData\Roaming\WmiPrvSE.exe" C:\Users\admin\AppData\Roaming\WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Provider Host
Version:
6.2.19041.3636
Modules
Images
c:\windows\system32\shell32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\wldp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\edputil.dll
7452"C:\Users\admin\AppData\Roaming\RuntimeBroker.exe" C:\Users\admin\AppData\Roaming\RuntimeBroker.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\gac_msil\system.configuration\2.0.0.0__b03f5f7f11d50a3a\system.configuration.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\17854fc301b53d222d68eecc90cd31dd\system.xml.ni.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\dnsapi.dll
Total events
2 011
Read events
2 009
Write events
2
Delete events
0

Modification events

(PID) Process:(7452) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(7404) WmiPrvSE.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WmiPrvSE
Value:
C:\Users\admin\WmiPrvSE.exe
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7404WmiPrvSE.exeC:\Users\admin\WmiPrvSE.exeexecutable
MD5:EC259CE663D09465C4D21B005CF73948
SHA256:9F81B80E073C56BF1CB2A4F2178EACF0F13858E31908FCD85397A452382BD371
7404WmiPrvSE.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnkbinary
MD5:8E7891643FBF683754010DADA9508E0B
SHA256:30934603CF7ADEB56F491D45BBBB7AACDCE3D2E39D38E35C25A3102BC1E45E76
7452RuntimeBroker.exeC:\Users\admin\AppData\Roaming\apptext
MD5:8FC22F973BEC7F0525710DCF02F05EDF
SHA256:BA0E21CEB11B1EC62709B0141373CE65DE5A156B822C9B6D3C3F9ED9AB224A46
7452RuntimeBroker.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeexecutable
MD5:3785497FD4339E24258E3BD47B933C34
SHA256:39B7D36F78AD70C878581C1052FC6C1E0AAB18312C9D8E229D9041494784F4B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
57
DNS requests
18
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T151707Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1f513ecce3ae4462961901f681e5f70a&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967636&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358166&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
200
20.103.156.88:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T151707Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=807fbd7c49274e879433213d2335ff42&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967636&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358166&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
4.42 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7452
RuntimeBroker.exe
147.185.221.26:14531
morning-ultimately.gl.at.ply.gg
PLAYIT-GG
US
malicious
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7404
WmiPrvSE.exe
147.185.221.26:14531
morning-ultimately.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 20.198.162.78
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.68
  • 20.190.160.14
  • 20.190.160.2
  • 20.190.160.130
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.67
whitelisted
morning-ultimately.gl.at.ply.gg
  • 147.185.221.26
malicious
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.161
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.163
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.48.23.159
  • 23.48.23.157
  • 23.48.23.160
  • 23.48.23.163
  • 23.48.23.168
  • 23.48.23.158
  • 23.48.23.149
  • 23.48.23.156
  • 23.48.23.153
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
7452
RuntimeBroker.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7452
RuntimeBroker.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
7452
RuntimeBroker.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
7404
WmiPrvSE.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
7404
WmiPrvSE.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
7404
WmiPrvSE.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
7404
WmiPrvSE.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuntimeBroker.exe