download:

/demon.x64.exe

Full analysis: https://app.any.run/tasks/38c2ed9b-d98b-448f-95fc-ed951f0f3fc9
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: November 13, 2024, 00:44:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sliver
backdoor
havoc
framework
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 6 sections
MD5:

F5EB76A42690D0A5B7272D88794EF575

SHA1:

2BEC89ACE9C00312A5C66D05C1F6323941977241

SHA256:

44F92F09FD700B792C0A15C6B7B95FD7C879C20BFDA9B7299671CF8CB5EA21CD

SSDEEP:

1536:bsR8ghweSyOEM+v7pbn6QL5RLRgx8KhfKJlp8:bsG9eVOijpDFL5Mru8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SLIVER has been detected (SURICATA)

      • demon.x64.exe (PID: 5284)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks proxy server information

      • demon.x64.exe (PID: 5284)

    • Checks supported languages

      • demon.x64.exe (PID: 5284)

    • Reads the machine GUID from the registry

      • demon.x64.exe (PID: 5284)

    • Reads the computer name

      • demon.x64.exe (PID: 5284)

    • Reads the software policy settings

      • demon.x64.exe (PID: 5284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:05 19:49:00+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.37
CodeSize: 96256
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x17be0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SLIVER demon.x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
5284"C:\Users\admin\Desktop\demon.x64.exe" C:\Users\admin\Desktop\demon.x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\demon.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
3 173
Read events
3 173
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2000
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6708
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2000
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1752
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5284
demon.x64.exe
148.113.192.160:443
OVH SAS
CA
malicious
4360
SearchApp.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
th.bing.com
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.187
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
5284
demon.x64.exe
A Network Trojan was detected
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/demon.x64.exe