Edit tour

Windows Analysis Report
demon.exe

Overview

General Information

Sample name:	demon.exe
Analysis ID:	1545840
MD5:	c8cbad944550f18e550725f69edf5553
SHA1:	a4fedf75a7d1493ac25dac8a9ad47fcf5926def8
SHA256:	c8c8d9baffd6ebfe015490f08ff6c93793c31706f4cf5dc868ad560fbbdff24f
Tags:	exeuser-lontze7
Infos:

Detection

Havoc

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Havoc

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

PE file does not import any functions

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

demon.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\demon.exe" MD5: C8CBAD944550F18E550725F69EDF5553)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Havoc	First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.	No Attribution	https://4pfsec.com/havoc-c2-first-look/ https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/ https://github.com/HavocFramework/Havoc https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
demon.exe	JoeSecurity_Havoc_2	Yara detected Havoc	Joe Security
demon.exe	JoeSecurity_Havoc_1	Yara detected Havoc	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: demon.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: demon.exe	ReversingLabs: Detection: 68%
Source: demon.exe	Virustotal: Detection: 57%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: demon.exe

Joe Sandbox ML: detected

Source: demon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125

Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp, demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/%
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/2
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/F
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/H
Source: demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/Pw
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/Q
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125/g
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125:443/
Source: demon.exe, 00000000.00000002.3299898707.0000019756F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://87.120.113.125:443/X

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E94E80 NtAddBootEntry,		0_2_00007FF7C5E94E80
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E94FE0 NtAddBootEntry,		0_2_00007FF7C5E94FE0

Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E8C6D0	0_2_00007FF7C5E8C6D0
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E88D50	0_2_00007FF7C5E88D50
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E8AAF0	0_2_00007FF7C5E8AAF0
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E93EC0	0_2_00007FF7C5E93EC0
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E8C0A0	0_2_00007FF7C5E8C0A0
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E96E70	0_2_00007FF7C5E96E70
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E8666F	0_2_00007FF7C5E8666F
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E95E40	0_2_00007FF7C5E95E40
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E97C00	0_2_00007FF7C5E97C00
Source: C:\Users\user\Desktop\demon.exe	Code function: 0_2_00007FF7C5E811E0	0_2_00007FF7C5E811E0

Source: demon.exe

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/1

Source: demon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\demon.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: demon.exe	ReversingLabs: Detection: 68%
Source: demon.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\demon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\demon.exe	Section loaded: schannel.dll	Jump to behavior

Source: demon.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: demon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\Desktop\demon.exe

Code function: GetComputerNameExA,GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,

0_2_00007FF7C5E88D50

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWjZ

Source: C:\Users\user\Desktop\demon.exe

Code function: 0_2_00007FF7C5E8E4A0 LdrGetProcedureAddress,

0_2_00007FF7C5E8E4A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\demon.exe

NtQueryInformationProcess: Indirect: 0x7FF7C5E94F0F

Jump to behavior

Source: C:\Users\user\Desktop\demon.exe

Code function: 0_2_00007FF7C5E88D50 GetComputerNameExA,GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,

0_2_00007FF7C5E88D50

Stealing of Sensitive Information

Yara detected Havoc

Source: Yara match

File source: demon.exe, type: SAMPLE

Remote Access Functionality

Yara detected Havoc

Source: Yara match

File source: demon.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
demon.exe	68%	ReversingLabs	Win64.Backdoor.Havoc
demon.exe	58%	Virustotal		Browse
demon.exe	100%	Avira	HEUR/AGEN.1329818
demon.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://87.120.113.125/2	demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/Q	demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125:443/X	demon.exe, 00000000.00000002.3299898707.0000019756F8F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/Pw	demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/	demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp, demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/H	demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/g	demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/F	demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125/%	demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://87.120.113.125:443/	demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.113.125	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545840
Start date and time:	2024-10-31 06:46:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	demon.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	3u8A2xjbBT.exe	Get hash	malicious	LiteHTTP Bot	Browse	87.120.126.5
	CARDFACTORYAccess Program, Tuesday, October 29, 2024.eml	Get hash	malicious	HTMLPhisher	Browse	87.120.113.115
	bLaLoo4ET5.exe	Get hash	malicious	Quasar	Browse	87.120.116.115
	Transferencia.doc	Get hash	malicious	Quasar	Browse	87.120.116.115
	1XZFfxyWZA.exe	Get hash	malicious	RedLine	Browse	87.120.115.20
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	https://anviict.com/?qvtvxymb	Get hash	malicious	HTMLPhisher	Browse	87.120.125.203
	t50.elf	Get hash	malicious	Xmrig	Browse	87.120.117.189
	ctCDAy5OQc.exe	Get hash	malicious	XenoRAT	Browse	87.120.116.115

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.873002172563993
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	demon.exe
File size:	102'400 bytes
MD5:	c8cbad944550f18e550725f69edf5553
SHA1:	a4fedf75a7d1493ac25dac8a9ad47fcf5926def8
SHA256:	c8c8d9baffd6ebfe015490f08ff6c93793c31706f4cf5dc868ad560fbbdff24f
SHA512:	21142155dc148f353092ca66b2289ef6bf7ee992e051ce8adcc564f38aacd82db67c2dbb51625c3dee3ceee55c1e86a3919856ef43b6167392000858f0962cb8
SSDEEP:	1536:ckJIalOYktfCM83v6pq9UVE/kGE5+Kb+LwoMSJZNx5FOGdbn:jlITtfCMT2UVE/kOXMSJZDPOGdb
TLSH:	7BA39603E2A720FEC4A9C1B447CF7232FAB3B46C21346A4E5710CB552F62AB1767D659
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...R."g...............%.x...........{.........@..........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140017be0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x67229D52 [Wed Oct 30 20:55:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
xor edx, edx
xor ecx, ecx
call 00007F1ABD0801C8h
xor eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push ebp
push edi
push esi
xor esi, esi
push ebx
mov eax, esi
dec eax
sub esp, 00000108h
dec eax
mov ebx, dword ptr [00002552h]
dec eax
mov dword ptr [esp+00000150h], ecx
dec eax
lea edi, dword ptr [esp+7Ah]
mov ecx, 0000000Eh
rep stosb
xor eax, eax
mov ecx, 0000000Ah
dec eax
lea edi, dword ptr [esp+000000ACh]
rep stosd
mov ecx, 0000000Bh
dec eax
lea edi, dword ptr [esp+000000D4h]
dec eax
mov dword ptr [esp+00000158h], edx
rep stosd
mov ecx, 00000008h
dec eax
lea edi, dword ptr [esp+00000088h]
dec eax
mov dword ptr [esp+70h], 00000000h
rep stosd
dec eax
mov eax, dword ptr [ebx]
mov ecx, 0000004Ch
call dword ptr [eax+000006B0h]
mov ecx, 0000004Dh
mov dword ptr [esp+68h], eax
dec eax
mov eax, dword ptr [ebx]
call dword ptr [eax+000006B0h]
mov ecx, 0000000Eh
mov dword ptr [esp+6Ch], eax
dec eax
lea eax, dword ptr [esp+7Ah]
dec eax
mov dword ptr [esp+60h], eax
dec eax
mov edi, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1b000	0x36	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c000	0x14	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d000	0xec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x176b0	0x17800	ce1ca9d9c97433c26fd8b712a01cdece	False	0.48932014627659576	data	5.957715459887156	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x940	0xa00	0904e47fd5a0e8c2f355d3de844346fc	False	0.45703125	data	3.7759570708035093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1a000	0x2e0	0x400	fd95c80dce9d4c70213f7386b413ff1b	False	0.5205078125	Matlab v4 mat-file (little endian) \245\274\376\377\257\276\376\377P\301\376\377\331\277\376\377\364\300\376\377\212\235\376\377k\240\376\377\345\241\376\377\370\242\376\377.\243\376\377\236\243\376\377\365\243\376\377F\244\376\377\316\244\376\377/\245\376\377\217\260\376\377N\261\376\377P\262\376\377\243\267\376\377\243\267\376\377\310\263\376\377\336\264\376\377\260\265\376\377\274\266\376\377\356\311\376\377@\312\376\377\004\313\376\377\206\313\376\377\340\314\376\377q\316\376\377\034\317\376\377, rows 0, columns 0	4.772046295400514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.edata	0x1b000	0x36	0x200	dbfb7acd3425352cff3643070ddab587	False	0.091796875	data	0.5383258046104653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1c000	0x14	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d000	0xec	0x200	f8de71fa3c1cc2ad4eff7e6cb2bd3e6d	False	0.3828125	data	2.9814268905374997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 06:46:59.510211945 CET	49704	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:46:59.510257006 CET	443	49704	87.120.113.125	192.168.2.5
Oct 31, 2024 06:46:59.510349035 CET	49704	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:46:59.511933088 CET	49704	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:46:59.511946917 CET	443	49704	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:00.719985008 CET	443	49704	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:00.720112085 CET	49704	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:00.720204115 CET	49704	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:00.720222950 CET	443	49704	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:00.722393990 CET	49705	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:00.722484112 CET	443	49705	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:00.722572088 CET	49705	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:00.723661900 CET	49705	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:00.723696947 CET	443	49705	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:01.921068907 CET	443	49705	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:01.921272039 CET	49705	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:01.921353102 CET	49705	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:01.921391010 CET	443	49705	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:01.921781063 CET	49706	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:01.921819925 CET	443	49706	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:01.921890020 CET	49706	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:01.922941923 CET	49706	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:01.922981024 CET	443	49706	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:01.923027992 CET	49706	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:03.818569899 CET	49707	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:03.818603039 CET	443	49707	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:03.818669081 CET	49707	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:03.819045067 CET	49707	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:03.819058895 CET	443	49707	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:05.025724888 CET	443	49707	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:05.025813103 CET	49707	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:05.025867939 CET	49707	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:05.025890112 CET	443	49707	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:05.026228905 CET	49708	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:05.026331902 CET	443	49708	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:05.026422024 CET	49708	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:05.026667118 CET	49708	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:05.026701927 CET	443	49708	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:06.229024887 CET	443	49708	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:06.229134083 CET	49708	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:06.229186058 CET	49708	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:06.229209900 CET	443	49708	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:06.229619026 CET	49709	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:06.229680061 CET	443	49709	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:06.229770899 CET	49709	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:06.229965925 CET	49709	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:06.230024099 CET	443	49709	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:06.230077028 CET	49709	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:08.506680012 CET	49710	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:08.506737947 CET	443	49710	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:08.506815910 CET	49710	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:08.507066965 CET	49710	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:08.507081985 CET	443	49710	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:09.700438976 CET	443	49710	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:09.700579882 CET	49710	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:09.700701952 CET	49710	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:09.700753927 CET	443	49710	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:09.701164007 CET	49711	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:09.701229095 CET	443	49711	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:09.701374054 CET	49711	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:09.701755047 CET	49711	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:09.701772928 CET	443	49711	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:11.287045002 CET	443	49711	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:11.287153006 CET	49711	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:11.287199974 CET	49711	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:11.287220955 CET	443	49711	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:11.287642956 CET	49712	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:11.287700891 CET	443	49712	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:11.287782907 CET	49712	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:11.287962914 CET	49712	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:11.287983894 CET	443	49712	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:11.288029909 CET	49712	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:13.209527016 CET	49713	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:13.209579945 CET	443	49713	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:13.209719896 CET	49713	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:13.209887981 CET	49713	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:13.209903955 CET	443	49713	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:14.398353100 CET	443	49713	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:14.398441076 CET	49713	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:14.398530006 CET	49713	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:14.398557901 CET	443	49713	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:14.399015903 CET	49714	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:14.399068117 CET	443	49714	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:14.399403095 CET	49714	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:14.400007963 CET	49714	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:14.400023937 CET	443	49714	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:15.751288891 CET	443	49714	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:15.751429081 CET	49714	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:15.751543045 CET	49714	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:15.751585007 CET	443	49714	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:15.752077103 CET	49718	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:15.752140045 CET	443	49718	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:15.752216101 CET	49718	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:15.752372026 CET	49718	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:15.752408981 CET	443	49718	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:15.752463102 CET	49718	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:17.646506071 CET	49727	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:17.646542072 CET	443	49727	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:17.646723032 CET	49727	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:17.646939993 CET	49727	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:17.646953106 CET	443	49727	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:18.845768929 CET	443	49727	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:18.845844984 CET	49727	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:18.848172903 CET	49727	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:18.848190069 CET	443	49727	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:18.848674059 CET	49734	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:18.848709106 CET	443	49734	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:18.849085093 CET	49734	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:18.849406004 CET	49734	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:18.849417925 CET	443	49734	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:21.088011026 CET	443	49734	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:21.088093042 CET	49734	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:21.088267088 CET	49734	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:21.088285923 CET	443	49734	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:21.089070082 CET	49744	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:21.089121103 CET	443	49744	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:21.089190006 CET	49744	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:21.090189934 CET	49744	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:21.090255022 CET	443	49744	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:21.090307951 CET	49744	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:23.209521055 CET	49760	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:23.209557056 CET	443	49760	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:23.209616899 CET	49760	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:23.209907055 CET	49760	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:23.209940910 CET	443	49760	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:25.084156036 CET	443	49760	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:25.084242105 CET	49760	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:25.084294081 CET	49760	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:25.084315062 CET	443	49760	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:25.084749937 CET	49766	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:25.084849119 CET	443	49766	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:25.084942102 CET	49766	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:25.085352898 CET	49766	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:25.085388899 CET	443	49766	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:26.308190107 CET	443	49766	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:26.308310032 CET	49766	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:26.308422089 CET	49766	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:26.308469057 CET	443	49766	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:26.308710098 CET	49772	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:26.308748007 CET	443	49772	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:26.308815002 CET	49772	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:26.308994055 CET	49772	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:26.309047937 CET	443	49772	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:26.309104919 CET	49772	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:28.333776951 CET	49786	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:28.333865881 CET	443	49786	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:28.333941936 CET	49786	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:28.334131002 CET	49786	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:28.334168911 CET	443	49786	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:29.717984915 CET	443	49786	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:29.718077898 CET	49786	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:29.718187094 CET	49786	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:29.718231916 CET	443	49786	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:29.718483925 CET	49794	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:29.718533993 CET	443	49794	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:29.718611002 CET	49794	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:29.718956947 CET	49794	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:29.718991041 CET	443	49794	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:30.920783997 CET	443	49794	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:30.920861959 CET	49794	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:30.920912027 CET	49794	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:30.920928001 CET	443	49794	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:30.921278000 CET	49803	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:30.921309948 CET	443	49803	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:30.921370983 CET	49803	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:30.921582937 CET	49803	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:30.921650887 CET	443	49803	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:30.921700001 CET	49803	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:33.036969900 CET	49816	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:33.037018061 CET	443	49816	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:33.037190914 CET	49816	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:33.037405014 CET	49816	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:33.037419081 CET	443	49816	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:34.233052969 CET	443	49816	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:34.233112097 CET	49816	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:34.233170986 CET	49816	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:34.233190060 CET	443	49816	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:34.233608007 CET	49822	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:34.233676910 CET	443	49822	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:34.233823061 CET	49822	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:34.234198093 CET	49822	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:34.234227896 CET	443	49822	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:35.436229944 CET	443	49822	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:35.436429977 CET	49822	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:35.436528921 CET	49822	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:35.436574936 CET	443	49822	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:35.436933041 CET	49828	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:35.436986923 CET	443	49828	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:35.437072039 CET	49828	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:35.437236071 CET	49828	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:35.437292099 CET	443	49828	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:35.437342882 CET	49828	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:37.490262985 CET	49844	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:37.490299940 CET	443	49844	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:37.490366936 CET	49844	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:37.490729094 CET	49844	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:37.490741014 CET	443	49844	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:38.680732012 CET	443	49844	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:38.680829048 CET	49844	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:38.695378065 CET	49844	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:38.695400000 CET	443	49844	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:38.699867010 CET	49850	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:38.699923038 CET	443	49850	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:38.699995995 CET	49850	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:38.708262920 CET	49850	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:38.708276987 CET	443	49850	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:39.920933962 CET	443	49850	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:39.921031952 CET	49850	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:39.921107054 CET	49850	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:39.921118021 CET	443	49850	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:39.921437025 CET	49858	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:39.921472073 CET	443	49858	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:39.921539068 CET	49858	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:39.921711922 CET	49858	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:39.921767950 CET	443	49858	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:39.921822071 CET	49858	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:41.632944107 CET	49867	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:41.632994890 CET	443	49867	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:41.633066893 CET	49867	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:41.633548021 CET	49867	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:41.633565903 CET	443	49867	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:42.823137999 CET	443	49867	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:42.823213100 CET	49867	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:42.823304892 CET	49867	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:42.823318005 CET	443	49867	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:42.823704004 CET	49875	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:42.823771000 CET	443	49875	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:42.823863029 CET	49875	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:42.824155092 CET	49875	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:42.824184895 CET	443	49875	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:44.013117075 CET	443	49875	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:44.013227940 CET	49875	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:44.013273001 CET	49875	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:44.013297081 CET	443	49875	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:44.013715982 CET	49884	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:44.013750076 CET	443	49884	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:44.013820887 CET	49884	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:44.014014959 CET	49884	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:44.014075041 CET	443	49884	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:44.014139891 CET	49884	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:46.286812067 CET	49897	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:46.286856890 CET	443	49897	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:46.286932945 CET	49897	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:46.287087917 CET	49897	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:46.287101030 CET	443	49897	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:47.728287935 CET	443	49897	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:47.728399992 CET	49897	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:47.728630066 CET	49897	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:47.728646994 CET	443	49897	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:47.728981972 CET	49905	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:47.729031086 CET	443	49905	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:47.729115963 CET	49905	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:47.729377985 CET	49905	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:47.729393005 CET	443	49905	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:48.917531013 CET	443	49905	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:48.917619944 CET	49905	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:48.917774916 CET	49905	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:48.917792082 CET	443	49905	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:48.918179035 CET	49913	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:48.918210030 CET	443	49913	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:48.918272972 CET	49913	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:48.918426037 CET	49913	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:48.918483973 CET	443	49913	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:48.918531895 CET	49913	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:51.023359060 CET	49924	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:51.023401976 CET	443	49924	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:51.023463011 CET	49924	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:51.024372101 CET	49924	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:51.024384975 CET	443	49924	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:52.220673084 CET	443	49924	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:52.220767975 CET	49924	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:52.220825911 CET	49924	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:52.220845938 CET	443	49924	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:52.221241951 CET	49933	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:52.221292973 CET	443	49933	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:52.221355915 CET	49933	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:52.221652985 CET	49933	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:52.221667051 CET	443	49933	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:53.417710066 CET	443	49933	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:53.417804956 CET	49933	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:53.417861938 CET	49933	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:53.417896032 CET	443	49933	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:53.418304920 CET	49941	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:53.418348074 CET	443	49941	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:53.418411970 CET	49941	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:53.418669939 CET	49941	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:53.418732882 CET	443	49941	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:53.418781996 CET	49941	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:55.193238020 CET	49953	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:55.193377972 CET	443	49953	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:55.193478107 CET	49953	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:55.193736076 CET	49953	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:55.193783045 CET	443	49953	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:56.389333963 CET	443	49953	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:56.389568090 CET	49953	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:56.389602900 CET	49953	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:56.389621973 CET	443	49953	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:56.390001059 CET	49959	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:56.390043974 CET	443	49959	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:56.390130043 CET	49959	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:56.390496969 CET	49959	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:56.390508890 CET	443	49959	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:57.575169086 CET	443	49959	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:57.575790882 CET	49959	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:57.575840950 CET	49959	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:57.575861931 CET	443	49959	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:57.576139927 CET	49969	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:57.576164007 CET	443	49969	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:57.580034018 CET	49969	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:57.580204010 CET	49969	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:57.580271006 CET	443	49969	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:57.583111048 CET	49969	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:59.349533081 CET	49980	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:59.349577904 CET	443	49980	87.120.113.125	192.168.2.5
Oct 31, 2024 06:47:59.349662066 CET	49980	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:59.349911928 CET	49980	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:47:59.349925041 CET	443	49980	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:00.556890965 CET	443	49980	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:00.557657957 CET	49980	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:00.560995102 CET	49980	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:00.561019897 CET	443	49980	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:00.561320066 CET	49987	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:00.561352968 CET	443	49987	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:00.561644077 CET	49987	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:00.562222004 CET	49987	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:00.562236071 CET	443	49987	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:02.005331993 CET	443	49987	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:02.005408049 CET	49987	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:02.005479097 CET	49987	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:02.005496025 CET	443	49987	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:02.005860090 CET	49994	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:02.005893946 CET	443	49994	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:02.005954981 CET	49994	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:02.006164074 CET	49994	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:02.006197929 CET	443	49994	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:02.006244898 CET	49994	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:03.787406921 CET	50005	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:03.787441015 CET	443	50005	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:03.787604094 CET	50005	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:03.787687063 CET	50005	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:03.787694931 CET	443	50005	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:04.984419107 CET	443	50005	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:04.984524965 CET	50005	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:04.984690905 CET	50005	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:04.984704971 CET	443	50005	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:04.984951973 CET	50015	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:04.984986067 CET	443	50015	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:04.985044003 CET	50015	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:04.985348940 CET	50015	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:04.985364914 CET	443	50015	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:06.179491043 CET	443	50015	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:06.179568052 CET	50015	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:06.179649115 CET	50015	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:06.179666996 CET	443	50015	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:06.179999113 CET	50020	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:06.180032969 CET	443	50020	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:06.180115938 CET	50020	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:06.180305004 CET	50020	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:06.180354118 CET	443	50020	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:06.180454969 CET	50020	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:07.943264008 CET	50021	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:07.943303108 CET	443	50021	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:07.943420887 CET	50021	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:07.943634033 CET	50021	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:07.943645000 CET	443	50021	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:09.173053980 CET	443	50021	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:09.173208952 CET	50021	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:09.173264027 CET	50021	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:09.173289061 CET	443	50021	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:09.173625946 CET	50022	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:09.173671961 CET	443	50022	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:09.173738956 CET	50022	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:09.174128056 CET	50022	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:09.174149036 CET	443	50022	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:10.373327971 CET	443	50022	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:10.373404026 CET	50022	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:10.373450041 CET	50022	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:10.373467922 CET	443	50022	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:10.373922110 CET	50023	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:10.373963118 CET	443	50023	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:10.374052048 CET	50023	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:10.374376059 CET	50023	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:10.374414921 CET	443	50023	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:10.374494076 CET	50023	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:12.615566969 CET	50024	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:12.615617037 CET	443	50024	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:12.615705013 CET	50024	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:12.615993023 CET	50024	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:12.616009951 CET	443	50024	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:13.817970037 CET	443	50024	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:13.818062067 CET	50024	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:13.818111897 CET	50024	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:13.818136930 CET	443	50024	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:13.818504095 CET	50025	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:13.818552017 CET	443	50025	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:13.818619013 CET	50025	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:13.818936110 CET	50025	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:13.818953991 CET	443	50025	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:15.033509016 CET	443	50025	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:15.033579111 CET	50025	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:15.033752918 CET	50025	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:15.033778906 CET	443	50025	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:15.034262896 CET	50026	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:15.034316063 CET	443	50026	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:15.034387112 CET	50026	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:15.034610033 CET	50026	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:15.034642935 CET	443	50026	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:15.034691095 CET	50026	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:17.037271023 CET	50027	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:17.037333965 CET	443	50027	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:17.037482977 CET	50027	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:17.037801981 CET	50027	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:17.037817955 CET	443	50027	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:18.241483927 CET	443	50027	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:18.241614103 CET	50027	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:18.241775990 CET	50027	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:18.241805077 CET	443	50027	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:18.242095947 CET	50028	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:18.242194891 CET	443	50028	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:18.242279053 CET	50028	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:18.242563963 CET	50028	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:18.242598057 CET	443	50028	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:19.449667931 CET	443	50028	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:19.449835062 CET	50028	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:19.449879885 CET	50028	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:19.449898958 CET	443	50028	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:19.450347900 CET	50029	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:19.450407982 CET	443	50029	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:19.450465918 CET	50029	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:19.450800896 CET	50029	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:19.450836897 CET	443	50029	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:19.450886011 CET	50029	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:21.584044933 CET	50030	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:21.584156990 CET	443	50030	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:21.584311962 CET	50030	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:21.584563017 CET	50030	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:21.584594011 CET	443	50030	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:22.796577930 CET	443	50030	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:22.796719074 CET	50030	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:22.796778917 CET	50030	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:22.796802044 CET	443	50030	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:22.797207117 CET	50031	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:22.797246933 CET	443	50031	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:22.797307968 CET	50031	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:22.797674894 CET	50031	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:22.797683001 CET	443	50031	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:24.003772020 CET	443	50031	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:24.003839970 CET	50031	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:24.003897905 CET	50031	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:24.003911018 CET	443	50031	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:24.004348993 CET	50032	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:24.004380941 CET	443	50032	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:24.004477978 CET	50032	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:24.004658937 CET	50032	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:24.004674911 CET	443	50032	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:24.004726887 CET	50032	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:25.788326025 CET	50033	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:25.788377047 CET	443	50033	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:25.788460016 CET	50033	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:25.788881063 CET	50033	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:25.788893938 CET	443	50033	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:26.971602917 CET	443	50033	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:26.971695900 CET	50033	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:26.971856117 CET	50033	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:26.971879005 CET	443	50033	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:26.972232103 CET	50034	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:26.972275972 CET	443	50034	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:26.972347021 CET	50034	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:26.972747087 CET	50034	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:26.972765923 CET	443	50034	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:28.191508055 CET	443	50034	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:28.191680908 CET	50034	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:28.191720963 CET	50034	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:28.191735983 CET	443	50034	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:28.192151070 CET	50035	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:28.192208052 CET	443	50035	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:28.192270994 CET	50035	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:28.192784071 CET	50035	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:28.192820072 CET	443	50035	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:28.192867994 CET	50035	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:30.271769047 CET	50036	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:30.271823883 CET	443	50036	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:30.271941900 CET	50036	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:30.272241116 CET	50036	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:30.272253036 CET	443	50036	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:31.482927084 CET	443	50036	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:31.483006001 CET	50036	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:31.483057976 CET	50036	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:31.483071089 CET	443	50036	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:31.483484983 CET	50037	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:31.483537912 CET	443	50037	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:31.483599901 CET	50037	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:31.483900070 CET	50037	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:31.483911991 CET	443	50037	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:32.699333906 CET	443	50037	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:32.699433088 CET	50037	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:32.699508905 CET	50037	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:32.699533939 CET	443	50037	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:32.699956894 CET	50038	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:32.699995041 CET	443	50038	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:32.700056076 CET	50038	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:32.700289965 CET	50038	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:32.700308084 CET	443	50038	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:32.700347900 CET	50038	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:34.927551985 CET	50039	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:34.927611113 CET	443	50039	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:34.927694082 CET	50039	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:34.927962065 CET	50039	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:34.927982092 CET	443	50039	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:36.149225950 CET	443	50039	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:36.149343014 CET	50039	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:36.149446011 CET	50039	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:36.149492025 CET	443	50039	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:36.149777889 CET	50040	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:36.149882078 CET	443	50040	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:36.149966002 CET	50040	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:36.150271893 CET	50040	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:36.150310993 CET	443	50040	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:37.349194050 CET	443	50040	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:37.349275112 CET	50040	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:37.349344015 CET	50040	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:37.349361897 CET	443	50040	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:37.349844933 CET	50041	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:37.349885941 CET	443	50041	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:37.349948883 CET	50041	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:37.350238085 CET	50041	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:37.350261927 CET	443	50041	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:37.350347996 CET	50041	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:39.505618095 CET	50042	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:39.505743980 CET	443	50042	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:39.505847931 CET	50042	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:39.506203890 CET	50042	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:39.506233931 CET	443	50042	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:40.700064898 CET	443	50042	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:40.700160980 CET	50042	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:40.700248003 CET	50042	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:40.700297117 CET	443	50042	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:40.700586081 CET	50043	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:40.700627089 CET	443	50043	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:40.700719118 CET	50043	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:40.700994015 CET	50043	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:40.701004028 CET	443	50043	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:41.915018082 CET	443	50043	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:41.915160894 CET	50043	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:41.915210962 CET	50043	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:41.915230036 CET	443	50043	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:41.915757895 CET	50044	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:41.915805101 CET	443	50044	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:41.915873051 CET	50044	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:41.916157961 CET	50044	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:41.916193962 CET	443	50044	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:41.916246891 CET	50044	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:44.209081888 CET	50045	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:44.209129095 CET	443	50045	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:44.209218025 CET	50045	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:44.209481955 CET	50045	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:44.209495068 CET	443	50045	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:45.418016911 CET	443	50045	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:45.418220997 CET	50045	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:45.418268919 CET	50045	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:45.418289900 CET	443	50045	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:45.418683052 CET	50046	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:45.418726921 CET	443	50046	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:45.418798923 CET	50046	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:45.419150114 CET	50046	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:45.419171095 CET	443	50046	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:47.168670893 CET	443	50046	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:47.168791056 CET	50046	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:47.168873072 CET	50046	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:47.168889046 CET	443	50046	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:47.169233084 CET	50047	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:47.169276953 CET	443	50047	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:47.169445038 CET	50047	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:47.169711113 CET	50047	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:47.169734001 CET	443	50047	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:47.169778109 CET	50047	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:49.177637100 CET	50048	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:49.177742958 CET	443	50048	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:49.177938938 CET	50048	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:49.178220987 CET	50048	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:49.178256035 CET	443	50048	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:50.375022888 CET	443	50048	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:50.375101089 CET	50048	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:50.375164032 CET	50048	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:50.375185013 CET	443	50048	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:50.375586033 CET	50049	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:50.375636101 CET	443	50049	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:50.375701904 CET	50049	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:50.375993013 CET	50049	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:50.376008034 CET	443	50049	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:51.568226099 CET	443	50049	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:51.568329096 CET	50049	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:51.568387032 CET	50049	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:51.568416119 CET	443	50049	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:51.568779945 CET	50050	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:51.568833113 CET	443	50050	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:51.568897009 CET	50050	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:51.569174051 CET	50050	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:51.569219112 CET	443	50050	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:51.569257975 CET	50050	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:53.273305893 CET	50051	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:53.273363113 CET	443	50051	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:53.273452997 CET	50051	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:53.273767948 CET	50051	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:53.273782969 CET	443	50051	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:54.486082077 CET	443	50051	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:54.488034010 CET	50051	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:54.488152981 CET	50051	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:54.488176107 CET	443	50051	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:54.488692045 CET	50052	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:54.488740921 CET	443	50052	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:54.488810062 CET	50052	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:54.489823103 CET	50052	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:54.489845037 CET	443	50052	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:55.692660093 CET	443	50052	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:55.692756891 CET	50052	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:55.692822933 CET	50052	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:55.692846060 CET	443	50052	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:55.693409920 CET	50053	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:55.693453074 CET	443	50053	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:55.693564892 CET	50053	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:55.693727970 CET	50053	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:55.693763018 CET	443	50053	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:55.693829060 CET	50053	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:57.584027052 CET	50054	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:57.584081888 CET	443	50054	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:57.584207058 CET	50054	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:57.584404945 CET	50054	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:57.584419966 CET	443	50054	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:58.807653904 CET	443	50054	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:58.807745934 CET	50054	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:58.807843924 CET	50054	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:58.807867050 CET	443	50054	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:58.808345079 CET	50055	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:58.808393955 CET	443	50055	87.120.113.125	192.168.2.5
Oct 31, 2024 06:48:58.808465004 CET	50055	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:58.808882952 CET	50055	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:48:58.808898926 CET	443	50055	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:00.018002987 CET	443	50055	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:00.018121004 CET	50055	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:00.018208027 CET	50055	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:00.018227100 CET	443	50055	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:00.018794060 CET	50056	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:00.018836021 CET	443	50056	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:00.018914938 CET	50056	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:00.019253016 CET	50056	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:00.019287109 CET	443	50056	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:00.019332886 CET	50056	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:02.162251949 CET	50057	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:02.162313938 CET	443	50057	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:02.162375927 CET	50057	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:02.166102886 CET	50057	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:02.166119099 CET	443	50057	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:03.523968935 CET	443	50057	87.120.113.125	192.168.2.5
Oct 31, 2024 06:49:03.524044037 CET	50057	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:03.525898933 CET	50057	443	192.168.2.5	87.120.113.125
Oct 31, 2024 06:49:03.525918961 CET	443	50057	87.120.113.125	192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: demon.exePID: 5596, Parent PID: 1028

General

Target ID:	0
Start time:	01:46:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\demon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\demon.exe"
Imagebase:	0x7ff7c5e80000
File size:	102'400 bytes
MD5 hash:	C8CBAD944550F18E550725F69EDF5553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: demon.exePID: 5596, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	699
Total number of Limit Nodes:	13

Executed Functions

Function 00007FF7C5E88D50 Relevance: 9.3, APIs: 6, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE ref: 00007FF7C5E88EA3
GetUserNameA.ADVAPI32 ref: 00007FF7C5E88F46
GetComputerNameExA.KERNELBASE ref: 00007FF7C5E88FEC
GetComputerNameExA.KERNELBASE ref: 00007FF7C5E89031
GetAdaptersInfo.IPHLPAPI ref: 00007FF7C5E89092
GetAdaptersInfo.IPHLPAPI ref: 00007FF7C5E890C7

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID: Name$Computer$AdaptersInfo$User
String ID:
API String ID: 2135084416-0
Opcode ID: b395df4d200d957b4e89245a8b9b89cbda0e436c5d1a7f11c22c1a02f5fd7a7c
Instruction ID: 37f311202ad057dcb2f842ba6009e2911da603b51bef299f03448133ac519f82
Opcode Fuzzy Hash: b395df4d200d957b4e89245a8b9b89cbda0e436c5d1a7f11c22c1a02f5fd7a7c
Instruction Fuzzy Hash: 96E16135708A8681F714FF2AD6903BAA3A1FB88FA4F814531DE5E8B795DE3ED4448710

Function 00007FF7C5E8E4A0 Relevance: 1.6, APIs: 1, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 00007FF7C5E8E5B7

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 34cc7978ff21579b6f0cfdcad7888ee9b73578415797b19f0ea4efcafc860fb8
Instruction ID: ab64cdc5eea6fcd3b2548b3e2d28c6ebe20c113f10821e5e0b7812021a3d62ee
Opcode Fuzzy Hash: 34cc7978ff21579b6f0cfdcad7888ee9b73578415797b19f0ea4efcafc860fb8
Instruction Fuzzy Hash: 1131E433B1868186EB21DF09E540B69B7A0FB44BA4F854031EE8E4B750EA3EE442CB10

Function 00007FF7C5E8C6D0 Relevance: .4, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5004052b8b0b6a0438d7107323449583e4aea3d27dc69899604e5c1e6c0d1f5a
Instruction ID: ba27f25f800cad82413202ba7d094d5b6c82afe3daee3f03bba9f3e08e69b7ce
Opcode Fuzzy Hash: 5004052b8b0b6a0438d7107323449583e4aea3d27dc69899604e5c1e6c0d1f5a
Instruction Fuzzy Hash: 3E025976708A8581EB60AF2AE6407AAA7A1FB85F98F848036CF4D4B794CF7DD445C710

Function 00007FF7C5E94E80 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfdf81eebfef682ffa2e1ee6fa4e4cea48e17d813d715886c93370a24776e91
Instruction ID: 9cd096cc7ab7d62890a726395574431a1bc666df314bed0a3f01a608890b4fe6
Opcode Fuzzy Hash: 2bfdf81eebfef682ffa2e1ee6fa4e4cea48e17d813d715886c93370a24776e91
Instruction Fuzzy Hash: A3116D7261878182D654AF05F9807AAB7A0FBC8B94F945135EF890BB68CF3DD450CF00

Function 00007FF7C5E94FE0 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb1c45a7adcaa5b56f3a35513dba38b34ad65e76fa7b0d16d8967bb75bfb0f7
Instruction ID: 5a05409b0695b8bd6864b71d96bae0ba7bd5441852ed6c205255da05b9eceee6
Opcode Fuzzy Hash: 0fb1c45a7adcaa5b56f3a35513dba38b34ad65e76fa7b0d16d8967bb75bfb0f7
Instruction Fuzzy Hash: 1211653661878182D654AF05F5407AAB7A0FBC4F94F944136EF890BB65CF3DD450CB40

Function 00007FF7C5E8E620 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF7C5E8E82E

Strings

, xrefs: 00007FF7C5E8E788

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-3916222277
Opcode ID: 23029e0fd72791b0afa8e0e17f5f234f4892c05e4ca6bdadf15a832bab745782
Instruction ID: 56f69ff118d23e5fd94df578eda85790492dc7f3ba356bd80ecefaba93694cf7
Opcode Fuzzy Hash: 23029e0fd72791b0afa8e0e17f5f234f4892c05e4ca6bdadf15a832bab745782
Instruction Fuzzy Hash: FD516132A0878581EB50AF59E2543BEA7A1EB84F94F944035EA4D4FB98DF7ED044C750

Non-executed Functions

Function 00007FF7C5E95E40 Relevance: 8.1, Strings: 6, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 00007FF7C5E966DE
, xrefs: 00007FF7C5E968E4
8, xrefs: 00007FF7C5E96558
d, xrefs: 00007FF7C5E96196
#, xrefs: 00007FF7C5E9629E
, xrefs: 00007FF7C5E95FA1

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID: $ $#$8$8$d
API String ID: 0-424029278
Opcode ID: ddbbfa8ed4b5a216ed5e0180370eac400a91362597c97a1ec72a1d3185b6f47a
Instruction ID: 6ed4d16b7556edc90c3378e2cc65b463d625c3da3f9dee247c5162a9b6eee5c4
Opcode Fuzzy Hash: ddbbfa8ed4b5a216ed5e0180370eac400a91362597c97a1ec72a1d3185b6f47a
Instruction Fuzzy Hash: DD626A76609BC185EB609F11E1403EAB7A5F7C4BA8F944236DA8D1BB98CF7ED045CB00

Function 00007FF7C5E97C00 Relevance: 5.2, Strings: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FF7C5E97DA0
, xrefs: 00007FF7C5E97E54
(, xrefs: 00007FF7C5E97D5F
BM, xrefs: 00007FF7C5E97D99

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID: $($6$BM
API String ID: 0-1480521668
Opcode ID: 176194a2f4b705d9e5c0915ca469a40ee453808a276cdac50f7e7f519167e610
Instruction ID: 30465c4c9831ed34f8cf12c6551959d4692094dfbb1682c9ee7f17af906451b6
Opcode Fuzzy Hash: 176194a2f4b705d9e5c0915ca469a40ee453808a276cdac50f7e7f519167e610
Instruction Fuzzy Hash: B4917C36708B8486EB649F16E5143AAB7A1F788F90F844039DF4957B98DF7DD449CB00

Function 00007FF7C5E8AAF0 Relevance: 1.8, Strings: 1, Instructions: 573
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF7C5E8ABC0

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f665ea64ed6b17c0c920e4aa6fd9f220a6417070c16a6c2c36b2de5e16cbbf5b
Instruction ID: 5af7b4996cb03b42d4d44455e78e5f30d72afd213277661bcb473ae3f436843e
Opcode Fuzzy Hash: f665ea64ed6b17c0c920e4aa6fd9f220a6417070c16a6c2c36b2de5e16cbbf5b
Instruction Fuzzy Hash: D7622976204BC486D7A0DF25E4847AAB7A4F788B98F408236DF9D5BB98CF79D445CB00

Function 00007FF7C5E93EC0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563078ae29a94c0104b7c4cc62a7c4da0757021fed9b9dc9c78a03f83bd2d2e3
Instruction ID: 4a36ba3839f112952e521f2bbd694899c036120f21da40f154b443aa33864831
Opcode Fuzzy Hash: 563078ae29a94c0104b7c4cc62a7c4da0757021fed9b9dc9c78a03f83bd2d2e3
Instruction Fuzzy Hash: E2D14C36B06A4544EB54AF62D260BFA67A0FFD8F54F98C032CA0C07B55CE29D449C3E1

Function 00007FF7C5E8666F Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6a4458ac8f71261f816882bc847e55aa200f67676b0dff1ff1da7d2ff6b98f
Instruction ID: dcf17e572e43e6e8a3bda6079ee6ec2f08e6ace92e02e83ab353f59ef0c0ca16
Opcode Fuzzy Hash: 4f6a4458ac8f71261f816882bc847e55aa200f67676b0dff1ff1da7d2ff6b98f
Instruction Fuzzy Hash: 18619272B0868186EB14BF2AE25537AA790FB84FA4F805431DE4E0B795DF3EE4458760

Function 00007FF7C5E8C0A0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87f28634a6c7cd22f9c5004284ddff9a0c026c5c98089009fecd2e000701a0a
Instruction ID: 3cf3cd951155049ea357a24497f4610f65f6904d37275dbd83b85e4f008022a2
Opcode Fuzzy Hash: d87f28634a6c7cd22f9c5004284ddff9a0c026c5c98089009fecd2e000701a0a
Instruction Fuzzy Hash: DE619E36304A8586D7609F66E550B6AB7A0FB89F98F449031EF4E5BB98CF3DD405CB00

Function 00007FF7C5E96E70 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66da060505c078e24e4a769a13462c39d05cf2f3dee6e5755d5b34d6c036764b
Instruction ID: 38bee92536d8abea6b4e0a4a49cea7c19d460e12b5955cb463ac1fc71fa63043
Opcode Fuzzy Hash: 66da060505c078e24e4a769a13462c39d05cf2f3dee6e5755d5b34d6c036764b
Instruction Fuzzy Hash: 2E51513260869286E624AF16F6506BEB7A1FB45F94F944035EF4D0B794DE3FE844CB10

Function 00007FF7C5E811E0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3300487721.00007FF7C5E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5E80000, based on PE: true

Associated: 00000000.00000002.3300444659.00007FF7C5E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300509849.00007FF7C5E99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300524075.00007FF7C5E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3300565664.00007FF7C5E9D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c5e80000_demon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
Instruction ID: 19c3377c7072c23d1c214d7b4151ad80a2793eb038de46561271cf493f3b9f78
Opcode Fuzzy Hash: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
Instruction Fuzzy Hash: 00512453A2E1D185E35A8B7A6560BAEEF90D7AAB54F487164FFCA47B87C41CC041CB10

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report demon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: demon.exePID: 5596, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: demon.exePID: 5596, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
demon.exe

Function 00007FF7C5E88D50 Relevance: 9.3, APIs: 6, Instructions: 319
COMMON

Function 00007FF7C5E8E4A0 Relevance: 1.6, APIs: 1, Instructions: 91
libraryloaderCOMMON

Function 00007FF7C5E8C6D0 Relevance: .4, Instructions: 370
COMMON

Function 00007FF7C5E94E80 Relevance: .0, Instructions: 38
COMMON

Function 00007FF7C5E94FE0 Relevance: .0, Instructions: 38
COMMON

Function 00007FF7C5E8E620 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146
libraryloaderCOMMON

Function 00007FF7C5E95E40 Relevance: 8.1, Strings: 6, Instructions: 592
COMMON

Function 00007FF7C5E97C00 Relevance: 5.2, Strings: 4, Instructions: 218
COMMON

Function 00007FF7C5E8AAF0 Relevance: 1.8, Strings: 1, Instructions: 573
COMMON