File name:

_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe

Full analysis: https://app.any.run/tasks/53b4744e-dac1-4bb7-b798-687edc2aca99
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 22:57:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
njrat
bladabindi
remote
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

129DF3C4DCAAE4C1860A334BE50F2ED3

SHA1:

4CDA77BC5D5C136C4A5A19122FD378B045CC7DEE

SHA256:

FF87CD932E25B024CD10042C186F252FDABDAC2C4D4CBC67F89E457697EBBC71

SSDEEP:

768:dv0w5DGIqLRwuv4oDDXSLzbPgJqqiD8ZuSNuCicI:dcw9poXX4zjg8E3Nh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NjRAT is detected

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

    • NJRAT has been detected (SURICATA)

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

    • NJRAT has been detected (YARA)

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

  • SUSPICIOUS

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

    • Contacting a server suspected of hosting an CnC

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

  • INFO

    • Checks supported languages

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

    • Reads the machine GUID from the registry

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)

    • Reads the computer name

      • _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe (PID: 7176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(7176) _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
C2 (1)phishing.multimilliontoken.org
Ports (1)443
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\411e31664bdd9d96369d0a44d5111aef
Splitter|'|'|
Versionim523
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:04:04 05:14:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 35840
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xabde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NJRAT _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe netsh.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5712netsh firewall add allowedprogram "C:\Users\admin\Desktop\_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe" "_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe" ENABLEC:\Windows\SysWOW64\netsh.exe_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7176"C:\Users\admin\Desktop\_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe" C:\Users\admin\Desktop\_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(7176) _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
C2 (1)phishing.multimilliontoken.org
Ports (1)443
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\411e31664bdd9d96369d0a44d5111aef
Splitter|'|'|
Versionim523
Total events
922
Read events
920
Write events
2
Delete events
0

Modification events

(PID) Process:(7176) _ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exeKey:HKEY_CURRENT_USER
Operation:writeName:di
Value:
!
(PID) Process:(5712) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%systemroot%\system32\FirewallControlPanel.dll,-12122
Value:
Windows Defender Firewall
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
46
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4680
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4680
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
text
1.24 Kb
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
400
20.190.160.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
48.192.1.64:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
92.123.104.50:443
AKAMAI-ASN1
NL
whitelisted
4680
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4680
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5316
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.154.101
  • 142.250.154.102
  • 142.250.154.138
  • 142.250.154.139
  • 142.250.154.100
  • 142.250.154.113
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.2
  • 20.190.160.67
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.22
  • 40.126.32.72
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 20.59.87.226
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
phishing.multimilliontoken.org
  • 188.114.97.3
  • 188.114.96.3
unknown
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
7176
_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
7176
_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_ff87cd932e25b024cd10042c186f252fdabdac2c4d4cbc67f89e457697ebbc71.exe