File name:

GESTIÓN DE PROCESO DE ACTUACIÓN JUDICIAL RAD 14447774422.zip

Full analysis: https://app.any.run/tasks/38a4faf0-6807-4996-9148-7dadf5ee81ad
Verdict: Malicious activity
Analysis date: March 12, 2025, 03:49:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

0B9BAAFC567C640524D2DFF723F6EF5A

SHA1:

04B8FB5195818C9EBA25ADAF286770E13CF835E4

SHA256:

4014DFC9BBA8FDC2D6A84A530FE0C7F2B5DDA6EE2EF4ED76618C293C1A8CAFB7

SSDEEP:

98304:S1d05sXTOGED0V9cbEC+DLAZz035HeUFo6Fekn6pS6wazlvrnahSU0oqAob8JtVc:9U+ll5w9TnSt9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5256)

    • Changes the autorun value in the registry

      • install.exe (PID: 4620)
      • Nicand.exe (PID: 4920)

    • Executing a file with an untrusted certificate

      • Nicand.exe (PID: 5376)
      • Nicand.exe (PID: 1012)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)
      • Nicand.exe (PID: 2040)
      • Nicand.exe (PID: 4920)
      • Nicand.exe (PID: 7488)

    • Starts NET.EXE for service management

      • Nicand.exe (PID: 1012)
      • net.exe (PID: 8112)
      • net.exe (PID: 6700)
      • Sleepy3.exe (PID: 8148)
      • net.exe (PID: 7304)
      • install.exe (PID: 4620)
      • net.exe (PID: 7400)
      • net.exe (PID: 6184)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5256)
      • ShellExperienceHost.exe (PID: 7612)
      • NClient.exe (PID: 7428)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)

    • Executable content was dropped or overwritten

      • install.exe (PID: 4620)

    • Drops a system driver (possible attempt to evade defenses)

      • install.exe (PID: 4620)

    • Process drops legitimate windows executable

      • install.exe (PID: 4620)

    • Creates file in the systems drive root

      • PrChk.exe (PID: 3272)
      • NClient.exe (PID: 7544)
      • NClient.exe (PID: 1040)
      • NClient.exe (PID: 7860)
      • NClient.exe (PID: 7904)
      • NClient.exe (PID: 7428)
      • Discover.exe (PID: 7036)
      • Discover.exe (PID: 2192)

    • Uses ICACLS.EXE to modify access control lists

      • install.exe (PID: 4620)
      • Nicand.exe (PID: 4920)

    • Likely accesses (executes) a file from the Public directory

      • cacls.exe (PID: 5084)
      • cacls.exe (PID: 8080)
      • cacls.exe (PID: 8100)
      • cacls.exe (PID: 8128)

    • Executes as Windows Service

      • NClient.exe (PID: 7860)

    • Connects to unusual port

      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)
      • Nicand.exe (PID: 2040)
      • NClient.exe (PID: 7428)
      • Nicand.exe (PID: 7488)
      • Nicand.exe (PID: 1012)
      • Nicand.exe (PID: 4920)

    • Application launched itself

      • NClient.exe (PID: 7860)

    • Executes application which crashes

      • NClient.exe (PID: 7904)

    • Uses SYSTEMINFO.EXE to read the environment

      • Discover.exe (PID: 7036)
      • Discover.exe (PID: 2192)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5256)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 4756)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8036)
      • BackgroundTransferHost.exe (PID: 4756)
      • BackgroundTransferHost.exe (PID: 1184)
      • BackgroundTransferHost.exe (PID: 6728)
      • BackgroundTransferHost.exe (PID: 7784)

    • Creates files in the program directory

      • install.exe (PID: 4620)
      • Nicand.exe (PID: 5376)
      • hear_usr.exe (PID: 7556)
      • Sleepy3.exe (PID: 6424)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)
      • NClient.exe (PID: 7860)
      • Sleepy3.exe (PID: 8148)
      • 2clientd.exe (PID: 6268)
      • hear_usr.exe (PID: 3024)
      • Nicand.exe (PID: 2040)
      • NClient.exe (PID: 7428)
      • NClient.exe (PID: 7904)
      • hear_usr.exe (PID: 6564)
      • Discover.exe (PID: 2192)
      • Discover.exe (PID: 7036)
      • Nicand.exe (PID: 4920)
      • Nicand.exe (PID: 7488)
      • hear_usr.exe (PID: 7552)
      • Nmgmt.exe (PID: 7500)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 4756)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 7660)
      • slui.exe (PID: 3176)

    • Checks supported languages

      • install.exe (PID: 4620)
      • PrChk.exe (PID: 3272)
      • Winide.exe (PID: 7460)
      • Nmgmt.exe (PID: 7500)
      • IcoDisc.exe (PID: 2600)
      • hear_usr.exe (PID: 7556)
      • CClient.exe (PID: 1116)
      • NClient.exe (PID: 7544)
      • Sleepy3.exe (PID: 6424)
      • ShellExperienceHost.exe (PID: 7612)
      • Sleepy64.exe (PID: 5308)
      • Nicand.exe (PID: 5376)
      • winide64.exe (PID: 7256)
      • LeveBack.exe (PID: 5156)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 1012)
      • Winide.exe (PID: 1672)
      • winide64.exe (PID: 5800)
      • IcoDisc.exe (PID: 7036)
      • CClient.exe (PID: 4188)
      • NClient.exe (PID: 1040)
      • Sleepy3.exe (PID: 7804)
      • Sleepy3.exe (PID: 8140)
      • Qumov.exe (PID: 2096)
      • Nicand.exe (PID: 7660)
      • Winide.exe (PID: 8096)
      • 2clientd.exe (PID: 6268)
      • winide64.exe (PID: 7864)
      • hear_usr.exe (PID: 3024)
      • LeveBack.exe (PID: 3032)
      • NClient.exe (PID: 7860)
      • Sleepy64.exe (PID: 2084)
      • NClient.exe (PID: 7904)
      • Nicand.exe (PID: 2040)
      • Sleepy3.exe (PID: 7908)
      • NClient.exe (PID: 7428)
      • Help.exe (PID: 5728)
      • Sleepy3.exe (PID: 5204)
      • hear_usr.exe (PID: 6564)
      • Winide.exe (PID: 5800)
      • Sleepy3.exe (PID: 8148)
      • Discover.exe (PID: 7036)
      • Nicand.exe (PID: 4920)
      • Discover.exe (PID: 2192)
      • inv_dmz.exe (PID: 3132)
      • inv_dmz.exe (PID: 2320)
      • inv_dmz.exe (PID: 1452)
      • Sleepy64.exe (PID: 7396)
      • Sleepy3.exe (PID: 1116)
      • Qumov.exe (PID: 4976)
      • Nicand.exe (PID: 7488)
      • inv_dmz.exe (PID: 3008)
      • Winide.exe (PID: 8140)
      • winide64.exe (PID: 4784)
      • hear_usr.exe (PID: 7552)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 4756)
      • slui.exe (PID: 7380)
      • NClient.exe (PID: 7428)
      • slui.exe (PID: 3176)

    • Reads the computer name

      • install.exe (PID: 4620)
      • PrChk.exe (PID: 3272)
      • Nicand.exe (PID: 5376)
      • ShellExperienceHost.exe (PID: 7612)
      • hear_usr.exe (PID: 7556)
      • Sleepy3.exe (PID: 6424)
      • NClient.exe (PID: 7544)
      • Sleepy64.exe (PID: 5308)
      • winide64.exe (PID: 7256)
      • Winide.exe (PID: 7460)
      • winide64.exe (PID: 5800)
      • LeveBack.exe (PID: 5156)
      • Nicand.exe (PID: 1188)
      • Nicand.exe (PID: 1012)
      • Winide.exe (PID: 1672)
      • NClient.exe (PID: 1040)
      • Sleepy3.exe (PID: 7804)
      • Sleepy3.exe (PID: 8140)
      • Nicand.exe (PID: 7660)
      • NClient.exe (PID: 7860)
      • Sleepy3.exe (PID: 8148)
      • Winide.exe (PID: 8096)
      • winide64.exe (PID: 7864)
      • 2clientd.exe (PID: 6268)
      • LeveBack.exe (PID: 3032)
      • Sleepy64.exe (PID: 2084)
      • hear_usr.exe (PID: 3024)
      • Nicand.exe (PID: 2040)
      • NClient.exe (PID: 7904)
      • Sleepy3.exe (PID: 7908)
      • NClient.exe (PID: 7428)
      • Help.exe (PID: 5728)
      • Sleepy3.exe (PID: 5204)
      • Winide.exe (PID: 5800)
      • hear_usr.exe (PID: 6564)
      • Nicand.exe (PID: 4920)
      • Discover.exe (PID: 2192)
      • inv_dmz.exe (PID: 3132)
      • Discover.exe (PID: 7036)
      • Sleepy64.exe (PID: 7396)
      • Sleepy3.exe (PID: 1116)
      • Nicand.exe (PID: 7488)
      • Winide.exe (PID: 8140)
      • winide64.exe (PID: 4784)
      • hear_usr.exe (PID: 7552)

    • The sample compiled with english language support

      • install.exe (PID: 4620)

    • Reads the machine GUID from the registry

      • LeveBack.exe (PID: 5156)
      • NClient.exe (PID: 7860)
      • NClient.exe (PID: 7904)
      • LeveBack.exe (PID: 3032)
      • NClient.exe (PID: 7428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:02:24 12:49:08
ZipCRC: 0xb058982a
ZipCompressedSize: 5345848
ZipUncompressedSize: 5435392
ZipFileName: Agent_v828_IndraGEB.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
242
Monitored processes
102
Malicious processes
9
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe agent_v828_indrageb.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs install.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs prchk.exe no specs nicand.exe no specs winide.exe no specs winide64.exe no specs nmgmt.exe no specs icodisc.exe no specs cclient.exe no specs nclient.exe no specs sleepy3.exe no specs hear_usr.exe no specs shellexperiencehost.exe no specs sleepy64.exe no specs leveback.exe no specs nicand.exe nicand.exe winide.exe no specs winide64.exe no specs icodisc.exe no specs cclient.exe no specs nclient.exe no specs sleepy3.exe no specs net.exe no specs net.exe no specs sleepy3.exe no specs conhost.exe no specs conhost.exe no specs qumov.exe no specs nicand.exe net1.exe no specs net1.exe no specs nclient.exe no specs sleepy3.exe no specs net.exe no specs winide.exe no specs conhost.exe no specs net1.exe no specs winide64.exe no specs 2clientd.exe no specs hear_usr.exe no specs leveback.exe no specs sleepy64.exe no specs nicand.exe slui.exe nclient.exe sleepy3.exe no specs help.exe no specs werfault.exe no specs nclient.exe sleepy3.exe no specs winide.exe no specs hear_usr.exe no specs discover.exe no specs systeminfo.exe no specs conhost.exe no specs nicand.exe cacls.exe no specs cacls.exe no specs discover.exe no specs conhost.exe no specs conhost.exe no specs systeminfo.exe no specs conhost.exe no specs tiworker.exe no specs inv_dmz.exe no specs inv_dmz.exe no specs inv_dmz.exe no specs inv_dmz.exe no specs sleepy64.exe no specs net.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs net1.exe no specs net1.exe no specs sleepy3.exe no specs qumov.exe no specs nicand.exe winide.exe no specs winide64.exe no specs hear_usr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1012"C:\Program Files (x86)\LEVERIT\AGENT\nicand.exe" /normalC:\Program Files (x86)\LeverIT\Agent\Nicand.exe
Sleepy3.exe
User:
admin
Company:
LeverIt
Integrity Level:
HIGH
Description:
Nicand
Version:
3, 0, 0, 1
Modules
Images
c:\program files (x86)\leverit\agent\nicand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1040"C:\PROGRA~2\LEVERIT\AGENT\NClient.exe" -installC:\Program Files (x86)\LeverIT\Agent\NClient.exeCClient.exe
User:
admin
Company:
LeverIt
Integrity Level:
HIGH
Description:
Comunication Agent
Exit code:
0
Version:
5.52.0.0
Modules
Images
c:\program files (x86)\leverit\agent\nclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1116"C:\Program Files (x86)\LEVERIT\AGENT\cclient.exe" -installC:\Program Files (x86)\LeverIT\Agent\CClient.exeinstall.exe
User:
admin
Company:
Leverit
Integrity Level:
HIGH
Description:
Starter
Exit code:
33
Version:
1, 0, 0, 1
Modules
Images
c:\program files (x86)\leverit\agent\cclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1116"C:\Program Files (x86)\LEVERIT\AGENT\sleepy3.exe"C:\Program Files (x86)\LeverIT\Agent\Sleepy3.exeinstall.exe
User:
admin
Company:
LeverIt
Integrity Level:
HIGH
Description:
Comunication Agent
Exit code:
0
Version:
6, 0, 0, 6
Modules
Images
c:\program files (x86)\leverit\agent\sleepy3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1184"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1188"C:\Program Files (x86)\LEVERIT\AGENT\nicand.exe" /INIBAKC:\Program Files (x86)\LeverIT\Agent\Nicand.exe
LeveBack.exe
User:
admin
Company:
LeverIt
Integrity Level:
HIGH
Description:
Nicand
Exit code:
0
Version:
3, 0, 0, 1
Modules
Images
c:\program files (x86)\leverit\agent\nicand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1452C:\PROGRA~2\LEVERIT\AGENT\inv_dmz.exeC:\Program Files (x86)\LeverIT\Agent\inv_dmz.exeDiscover.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files (x86)\leverit\agent\inv_dmz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1672"C:\Program Files (x86)\LEVERIT\AGENT\Winide.exe" C:\Program Files (x86)\LeverIT\Agent\Winide.exeNicand.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\leverit\agent\winide.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
24 454
Read events
24 244
Write events
210
Delete events
0

Modification events

(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\GESTIÓN DE PROCESO DE ACTUACIÓN JUDICIAL RAD 14447774422.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4756) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4756) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
58
Suspicious files
31
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
4756BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\c767ab12-15de-43a1-aeab-d2310a28cf8d.down_data
MD5:
SHA256:
4756BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:5E16E74D50899C2ACB576669F07DEE54
SHA256:9B0954B5A8009228D7253B74A69B0E909169BB741F574934537E32A66517A322
4620install.exeC:\Program Files (x86)\LeverIT\Agent\config.txttext
MD5:A7DBEF40E407F45DBDF9417313E742B6
SHA256:96A5A1AA54E6D901678D13BF1712CED7A3AE134D0358D012D0D0703D34F90EF8
4620install.exeC:\Program Files (x86)\LeverIT\Agent\version.datbinary
MD5:16AE06BF5EA736B954D5356E040A64E1
SHA256:E45097757A5B7D04F366D5E7E5AF5510BE92CB9AD9FFCEE9DF3ECB1183112B3F
4620install.exeC:\Program Files (x86)\LeverIT\Agent\versionB.datbinary
MD5:A5073FDDD4F0F1C224274B5E0D0E0122
SHA256:860A97AA785F93C4A232D603FE56D5B0BE1E7B773E7A04A559166DF4C6EE2D57
4620install.exeC:\Program Files (x86)\LeverIT\Agent\Anim6.bmpimage
MD5:7BE62CD9467978AD4A0D39D7615A6780
SHA256:724F5C896816C5DEC220A94E6A762E23BC24792AF13A59C709B38453207AFA4B
4756BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a6f24761-39eb-4a89-bc35-8a9b829ad934.up_meta_securebinary
MD5:F9FE8D7C114D27CD9DD1EB690F51BC1D
SHA256:7B55A4E04B8B3640FBE33114A30BA23D6879852A1ED5D78F48167D89FE312399
5256WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5256.21288\Agent_v828_IndraGEB.exeexecutable
MD5:46C60EDFCFB5B296E82F7AD8F2C347BE
SHA256:FC4CF017CDFA3F57123DF37CB5AE92E304EF6ED1450345058478D336110C141D
4620install.exeC:\Program Files (x86)\LeverIT\Agent\depr.binbinary
MD5:CF3027E257ED6BFB955C1F765E4C6F74
SHA256:29C1DA0813FED577D52743F52D197574CF525223DE2CA1B7DD3B5F7F0B1C4852
4756BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a6f24761-39eb-4a89-bc35-8a9b829ad934.2dd53a46-101e-4ec0-9705-9ee9197c1b18.down_metabinary
MD5:49CDE0F0AC5DBCAB3520A9B68D58A061
SHA256:29A17318706A0C5ACF85FF9E3940EBD2740AF9D6F6541B5E62FB603FF0DF09B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
56
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
5260
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
7268
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
5260
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
7428
NClient.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
binary
2.18 Kb
whitelisted
1188
Nicand.exe
GET
200
72.167.49.69:80
http://www.leverit-server.com/dlic/infipsglob.aspx?COUNT=57&EMPRE=365
US
html
835 b
unknown
7660
Nicand.exe
GET
200
72.167.49.69:80
http://www.leverit-server.com/dlic/infipsglob.aspx?COUNT=57&EMPRE=365
US
html
835 b
unknown
4756
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
312 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7268
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7268
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 216.58.212.142
whitelisted
login.live.com
  • 20.190.159.131
  • 40.126.31.128
  • 20.190.159.64
  • 20.190.159.68
  • 40.126.31.0
  • 20.190.159.4
  • 20.190.159.71
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 2.16.204.141
  • 2.16.204.161
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GESTIÓN DE PROCESO DE ACTUACIÓN JUDICIAL RAD 14447774422.zip