File name:

NBTExplorer-2.8.0.zip

Full analysis: https://app.any.run/tasks/683e86ba-39ab-4d03-8178-41da800aaa20
Verdict: Malicious activity
Analysis date: March 25, 2025, 01:52:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

50A9DB91F83C6C09F064385E50760A25

SHA1:

278BFF3D03F71FC3B3ED84428064747C6715C7D1

SHA256:

1BF4C3E56A0E8FBA911C6C73CC12FBF105C01367D92DCFB9D20B0F529A666E4B

SSDEEP:

12288:uYehcLF+dlorMN+n2eJqzWglYo0IhEjlG:uYehcLF+dlorMN+n2eJqKglYo0IhEjlG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6108)

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 4784)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6108)
      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)

    • Application launched itself

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Checks for external IP

      • CCleaner64.exe (PID: 728)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Starts application from unusual location

      • CCleaner64.exe (PID: 728)

    • Searches for installed software

      • CCleaner64.exe (PID: 728)

  • INFO

    • Manual execution by a user

      • CCleaner64.exe (PID: 8100)

    • Reads the computer name

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 4784)

    • Reads Environment values

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6108)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)

    • Checks supported languages

      • CCleaner64.exe (PID: 8100)
      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Reads product name

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Reads CPU info

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • The sample compiled with english language support

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Reads the machine GUID from the registry

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)

    • Reads the software policy settings

      • CCleaner64.exe (PID: 728)
      • CCleaner64.exe (PID: 4784)
      • BackgroundTransferHost.exe (PID: 4464)

    • Creates files or folders in the user directory

      • CCleaner64.exe (PID: 728)
      • BackgroundTransferHost.exe (PID: 4464)

    • Checks proxy server information

      • CCleaner64.exe (PID: 728)
      • BackgroundTransferHost.exe (PID: 4464)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 4784)
      • CCleaner64.exe (PID: 728)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 5776)
      • BackgroundTransferHost.exe (PID: 7932)
      • BackgroundTransferHost.exe (PID: 4464)
      • BackgroundTransferHost.exe (PID: 8140)

    • Create files in a temporary directory

      • CCleaner64.exe (PID: 728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2017:11:24 02:37:10
ZipCRC: 0xa2d00f0d
ZipCompressedSize: 130881
ZipUncompressedSize: 429568
ZipFileName: NBTExplorer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nbtexplorer.exe no specs ccleaner64.exe no specs ccleaner64.exe backgroundtransferhost.exe no specs ccleaner64.exe backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728"C:\Program Files\CCleaner\CCleaner64.exe" /uacC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4464"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4784"C:\Program Files\CCleaner\CCleaner64.exe" /monitorC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4988"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5776"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6108"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\NBTExplorer-2.8.0.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7352"C:\Users\admin\AppData\Local\Temp\Rar$EXa6108.38857\NBTExplorer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6108.38857\NBTExplorer.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NBTExplorer
Exit code:
0
Version:
2.8.0.0
7932"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
8100"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
8140"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
Total events
20 817
Read events
20 645
Write events
117
Delete events
55

Modification events

(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NBTExplorer-2.8.0.zip
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(6108) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
9
Suspicious files
103
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6108WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6108.38857\NBTUtil.exe.configxml
MD5:357B302903F3FD55C20DDF876835AE35
SHA256:309E6FEDB75EDB45DFF3937EFB1565F19443EC2CDB8EA20B91254701C3E7AC6D
6108WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6108.38857\NBTModel.dllexecutable
MD5:4F6755F0ADCCECEEBDF45C056B5A885A
SHA256:482A8F6810C8D2B659FCF313BEA15E914B54923F9CFE5D0A11508CD16C81AEAE
6108WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6108.38857\Substrate.dllexecutable
MD5:1368BE03ADEC59D273442910ABDD8741
SHA256:BD27F3309530A1937B068E6B9F1B5663BF5E28E4619EF25724A3290EB491E765
728CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
728CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RF110e16.TMPbinary
MD5:715D03F2C851242AE02F082C92170337
SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
7352NBTExplorer.exeC:\Users\admin\AppData\Local\NBTExplorer\NBTExplorer.exe_Url_mbv0pjwcd5zj0xauyvysvcapgxjnjuvu\2.8.0.0\user.configxml
MD5:F0DDAD7A6110FF1C701CD1391FA86B03
SHA256:91C8DE04FF164D5303750212DBE6DB223BDF50ACA3DA79C0FCDA8A35595279D9
728CCleaner64.exeC:\Program Files\CCleaner\gcapi_1742867591728.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
728CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8MDHURF62FMXAXQJ78GY.tempbinary
MD5:4EBDB44509F0C7E6DD43D79AE5974F19
SHA256:BAC73EE804EA67D1B851F997E990FF605222BC97DFCA738395C2DB85F6BEC4EF
728CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:C3B2E7057647C482D82920D6B089D0C2
SHA256:74442205B68F9C71A9D4EB83EF34D32F31578339E2054DE44F6CFC234C60167D
728CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-msbinary
MD5:4EBDB44509F0C7E6DD43D79AE5974F19
SHA256:BAC73EE804EA67D1B851F997E990FF605222BC97DFCA738395C2DB85F6BEC4EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
35
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7188
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
728
CCleaner64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
728
CCleaner64.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
728
CCleaner64.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
4784
CCleaner64.exe
GET
200
23.48.23.10:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
728
CCleaner64.exe
GET
200
23.48.23.10:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
728
CCleaner64.exe
GET
200
142.250.185.195:80
http://o.pki.goog/s/wr3/bBg/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEGwY1bOiaIYyCQBbxs0Wu5Q%3D
unknown
whitelisted
8172
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7188
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7188
backgroundTaskHost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.2
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.5
  • 40.126.32.74
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
ncc.avast.com
  • 23.48.23.10
  • 23.48.23.31
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 104.75.89.48
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
728
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NBTExplorer-2.8.0.zip