File name:

magicline4nx_setup.exe

Full analysis: https://app.any.run/tasks/bd3cd31a-7638-4d9a-bbfe-c47feac4ebba
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 19, 2024, 02:12:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

ED13F3278BBE177CF2F1D0B446ABD2C0

SHA1:

A6D68DBE22BE66E6C3891DD9CC4A803B33AB34BE

SHA256:

47314D936942E3BB71DD54AF9B3795D482BFAFC8AD5370F4B3EBD6A9FF9AC7A2

SSDEEP:

98304:OVFdn1DqYRtkXNufDYvAL2MlRws61Damcq2+LB/Z93t3ZV7or0+wPc35kRCCOf52:YV+7miVd4e5NGii8Trm1MHS7QjwW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • cscript.exe (PID: 5068)
      • certutil.exe (PID: 6192)
      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)
      • cscript.exe (PID: 6172)

    • Gets %appdata% folder path (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • magicline4nx_setup.exe (PID: 616)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • magicline4nx_setup.exe (PID: 616)

    • Reads security settings of Internet Explorer

      • magicline4nx_setup.exe (PID: 616)

    • Starts CMD.EXE for commands execution

      • magicline4nx_setup.exe (PID: 616)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6400)
      • cmd.exe (PID: 6224)

    • Executable content was dropped or overwritten

      • magicline4nx_setup.exe (PID: 616)

    • Process drops legitimate windows executable

      • magicline4nx_setup.exe (PID: 616)

    • Creates a software uninstall entry

      • magicline4nx_setup.exe (PID: 616)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 6900)

    • The process executes VB scripts

      • magicline4nx_setup.exe (PID: 616)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Executes as Windows Service

      • MagicLine4NXServices.exe (PID: 1084)

  • INFO

    • Create files in a temporary directory

      • magicline4nx_setup.exe (PID: 616)

    • Checks supported languages

      • magicline4nx_setup.exe (PID: 616)
      • certmgr.exe (PID: 6900)
      • certutil.exe (PID: 6192)
      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)
      • MagicLine4NX.exe (PID: 1068)
      • MagicLine4NXServices.exe (PID: 2576)

    • Reads the computer name

      • magicline4nx_setup.exe (PID: 616)
      • certutil.exe (PID: 6192)
      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)

    • The process uses the downloaded file

      • magicline4nx_setup.exe (PID: 616)
      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Process checks computer location settings

      • magicline4nx_setup.exe (PID: 616)

    • Creates files in the program directory

      • magicline4nx_setup.exe (PID: 616)

    • Creates files or folders in the user directory

      • magicline4nx_setup.exe (PID: 616)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Sends debugging messages

      • magicline4nx_setup.exe (PID: 616)

    • Manual execution by a user

      • MagicLine4NX.exe (PID: 1068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:27 06:26:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x310f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.32
ProductVersionNumber: 1.0.0.32
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Windows, Korea (Shift - KSC 5601)
CompanyName: Dreamsecurity, Inc.
FileDescription: MagicLine4NX
FileVersion: 1.0.0.32
LegalCopyright: Copyright (C) 2016 Dreamsecurity Co., Ltd. All rights reserved.
ProductName: MagicLine4NX
ProductVersion: MagicLine4Web
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
32
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start magicline4nx_setup.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs certmgr.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs certutil.exe conhost.exe no specs certutil.exe conhost.exe no specs cscript.exe conhost.exe no specs certutil.exe conhost.exe no specs certutil.exe conhost.exe no specs magicline4nxservices.exe magicline4nx.exe conhost.exe no specs sc.exe no specs conhost.exe no specs magicline4nxservices.exe magicline4nx_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Users\admin\AppData\Local\Temp\magicline4nx_setup.exe" C:\Users\admin\AppData\Local\Temp\magicline4nx_setup.exe
explorer.exe
User:
admin
Company:
Dreamsecurity, Inc.
Integrity Level:
HIGH
Description:
MagicLine4NX
Exit code:
0
Version:
1.0.0.32
Modules
Images
c:\users\admin\appdata\local\temp\magicline4nx_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1068"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" 0C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
explorer.exe
User:
admin
Company:
Dreamsecurity
Integrity Level:
MEDIUM
Description:
MagicLine4NX
Version:
1.0.0.32
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_a863d714867441db\comctl32.dll
1084"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
services.exe
User:
SYSTEM
Company:
Dreamsecurity
Integrity Level:
SYSTEM
Description:
MagicLine4NXServices
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nxservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
c:\windows\syswow64\advapi32.dll
1156sc start MagicLine4NXSVCC:\Windows\SysWOW64\sc.exemagicline4nx_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMagicLine4NXServices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2576"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -installC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
magicline4nx_setup.exe
User:
admin
Company:
Dreamsecurity
Integrity Level:
HIGH
Description:
MagicLine4NXServices
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nxservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
3076"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
cscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\program files (x86)\dreamsecurity\magicline4nx\cert\nssutil3.dll
c:\program files (x86)\dreamsecurity\magicline4nx\cert\smime3.dll
3728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3864sc stop MagicLine4NXSVCC:\Windows\SysWOW64\sc.exemagicline4nx_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 086
Read events
4 064
Write events
18
Delete events
4

Modification events

(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:NTSMagicLineNP
Value:
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:MagicLine4NX
Value:
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayName
Value:
MagicLine4NX
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayVersion
Value:
1.0.0.32
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:Publisher
Value:
Dreamsecurity, Inc.
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:EstimatedSize
Value:
16743
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTSMagicLineNP
Operation:writeName:DefaultIcon
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe, 1
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTSMagicLineNP
Operation:writeName:URL Protocol
Value:
Executable files
30
Suspicious files
13
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\nsExec.dllexecutable
MD5:3EB4CD50DCB9F5981F5408578CB7FB70
SHA256:1C2F19E57DC72587AA00800A498C5F581B7D6761DC13B24BCF287EA7BD5CA2BF
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\KillProcDLL.dllexecutable
MD5:83142EAC84475F4CA889C73F10D9C179
SHA256:AE2F1658656E554F37E6EAC896475A3862841A18FFC6FAD2754E2D3525770729
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\NsisUtil.dllexecutable
MD5:59541B9DA3C09F318A58BEF52C9FF131
SHA256:74A542EF3BBE0673453286DFEB335C1D7BDE4E601C932A3D0D04C85EB098BB47
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\nsProcess.dllexecutable
MD5:FAA7F034B38E729A983965C04CC70FC1
SHA256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dllexecutable
MD5:043F110E1C505BD8D567595983146160
SHA256:0D40ACEF75C1C98E3E081A4E0E92609495F40BEC60A341F27CE8C7ADD5957F38
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.25.dllexecutable
MD5:C5E9763804798318723056B9D56BD1BB
SHA256:8D5763D6CF8A38D8D97F9F4265B245E8C3FB6D343E21919D2F4885A67834BD9E
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exeexecutable
MD5:877F2A6FC5DA85AA4C9B38943EF21EAE
SHA256:394B85EC47B7B0850123F4AFC3F4B9165FC217D460396570A4218860A59DB1C7
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conftext
MD5:65B23B61966A87AE3D45FFA7C5A8985C
SHA256:2D803D60C49A5B43C504A5700905AA21750C6F913DC92F5315AC4DDA722D1073
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.initext
MD5:B5673572EA31449177E07E5C5CAE3BE2
SHA256:7779A2B0F48B0339E1761E0D3E60ED07370B26EBB404477E95166A5E4A593114
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exeexecutable
MD5:8EDBD33B965B5D1C22DB0E722117D270
SHA256:EB04889EA50970D7681C7941EB7ED2480FB79FE67B54B010C2B5D8A7F3A568C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
57
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
696
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4032
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
824
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
th.bing.com
  • 104.126.37.131
  • 104.126.37.145
whitelisted
www.dreamsecurity.com
  • 14.32.171.72
unknown

Threats

No threats detected
Process
Message
magicline4nx_setup.exe
ExecShellAsUser: DLL_PROCESS_ATTACH
magicline4nx_setup.exe
ExecShellAsUser: got desktop
magicline4nx_setup.exe
ExecShellAsUser: elevated process detected
MagicLine4NX.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
MagicLine4NXServices.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
MagicLine4NXServices.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
magicline4nx_setup.exe
ExecShellAsUser: NSPIM_UNLOAD wait...
magicline4nx_setup.exe
ExecShellAsUser: thread finished
magicline4nx_setup.exe
ExecShellAsUser: NSPIM_UNLOAD
magicline4nx_setup.exe
ExecShellAsUser: DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
magicline4nx_setup.exe