File name:

magicline4nx_setup.exe

Full analysis: https://app.any.run/tasks/bd3cd31a-7638-4d9a-bbfe-c47feac4ebba
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 19, 2024, 02:12:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

ED13F3278BBE177CF2F1D0B446ABD2C0

SHA1:

A6D68DBE22BE66E6C3891DD9CC4A803B33AB34BE

SHA256:

47314D936942E3BB71DD54AF9B3795D482BFAFC8AD5370F4B3EBD6A9FF9AC7A2

SSDEEP:

98304:OVFdn1DqYRtkXNufDYvAL2MlRws61Damcq2+LB/Z93t3ZV7or0+wPc35kRCCOf52:YV+7miVd4e5NGii8Trm1MHS7QjwW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets %appdata% folder path (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Actions looks like stealing of personal data

      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 6192)
      • cscript.exe (PID: 5068)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)
      • cscript.exe (PID: 6172)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • magicline4nx_setup.exe (PID: 616)

    • The process creates files with name similar to system file names

      • magicline4nx_setup.exe (PID: 616)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • magicline4nx_setup.exe (PID: 616)

    • Process drops legitimate windows executable

      • magicline4nx_setup.exe (PID: 616)

    • Creates a software uninstall entry

      • magicline4nx_setup.exe (PID: 616)

    • Starts CMD.EXE for commands execution

      • magicline4nx_setup.exe (PID: 616)

    • Executable content was dropped or overwritten

      • magicline4nx_setup.exe (PID: 616)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6224)
      • cmd.exe (PID: 6400)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 6900)

    • The process executes VB scripts

      • magicline4nx_setup.exe (PID: 616)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Executes as Windows Service

      • MagicLine4NXServices.exe (PID: 1084)

  • INFO

    • The process uses the downloaded file

      • magicline4nx_setup.exe (PID: 616)
      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Checks supported languages

      • magicline4nx_setup.exe (PID: 616)
      • certmgr.exe (PID: 6900)
      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 6192)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)
      • MagicLine4NXServices.exe (PID: 2576)
      • MagicLine4NX.exe (PID: 1068)

    • Create files in a temporary directory

      • magicline4nx_setup.exe (PID: 616)

    • Creates files in the program directory

      • magicline4nx_setup.exe (PID: 616)

    • Reads the computer name

      • magicline4nx_setup.exe (PID: 616)
      • certutil.exe (PID: 6192)
      • certutil.exe (PID: 7092)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)

    • Process checks computer location settings

      • magicline4nx_setup.exe (PID: 616)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5068)
      • cscript.exe (PID: 6172)

    • Creates files or folders in the user directory

      • magicline4nx_setup.exe (PID: 616)
      • certutil.exe (PID: 3076)
      • certutil.exe (PID: 3944)

    • Manual execution by a user

      • MagicLine4NX.exe (PID: 1068)

    • Sends debugging messages

      • magicline4nx_setup.exe (PID: 616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:27 06:26:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x310f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.32
ProductVersionNumber: 1.0.0.32
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Windows, Korea (Shift - KSC 5601)
CompanyName: Dreamsecurity, Inc.
FileDescription: MagicLine4NX
FileVersion: 1.0.0.32
LegalCopyright: Copyright (C) 2016 Dreamsecurity Co., Ltd. All rights reserved.
ProductName: MagicLine4NX
ProductVersion: MagicLine4Web
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
32
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start magicline4nx_setup.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs certmgr.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs certutil.exe conhost.exe no specs certutil.exe conhost.exe no specs cscript.exe conhost.exe no specs certutil.exe conhost.exe no specs certutil.exe conhost.exe no specs magicline4nxservices.exe magicline4nx.exe conhost.exe no specs sc.exe no specs conhost.exe no specs magicline4nxservices.exe magicline4nx_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Users\admin\AppData\Local\Temp\magicline4nx_setup.exe" C:\Users\admin\AppData\Local\Temp\magicline4nx_setup.exe
explorer.exe
User:
admin
Company:
Dreamsecurity, Inc.
Integrity Level:
HIGH
Description:
MagicLine4NX
Exit code:
0
Version:
1.0.0.32
Modules
Images
c:\users\admin\appdata\local\temp\magicline4nx_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1068"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" 0C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
explorer.exe
User:
admin
Company:
Dreamsecurity
Integrity Level:
MEDIUM
Description:
MagicLine4NX
Version:
1.0.0.32
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_a863d714867441db\comctl32.dll
1084"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
services.exe
User:
SYSTEM
Company:
Dreamsecurity
Integrity Level:
SYSTEM
Description:
MagicLine4NXServices
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nxservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
c:\windows\syswow64\advapi32.dll
1156sc start MagicLine4NXSVCC:\Windows\SysWOW64\sc.exemagicline4nx_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMagicLine4NXServices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2576"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -installC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
magicline4nx_setup.exe
User:
admin
Company:
Dreamsecurity
Integrity Level:
HIGH
Description:
MagicLine4NXServices
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\magicline4nxservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
3076"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
cscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\program files (x86)\dreamsecurity\magicline4nx\cert\nssutil3.dll
c:\program files (x86)\dreamsecurity\magicline4nx\cert\smime3.dll
3728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3864sc stop MagicLine4NXSVCC:\Windows\SysWOW64\sc.exemagicline4nx_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 086
Read events
4 064
Write events
18
Delete events
4

Modification events

(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:NTSMagicLineNP
Value:
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:MagicLine4NX
Value:
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayName
Value:
MagicLine4NX
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayVersion
Value:
1.0.0.32
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:Publisher
Value:
Dreamsecurity, Inc.
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MagicLine4NX
Operation:writeName:EstimatedSize
Value:
16743
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTSMagicLineNP
Operation:writeName:DefaultIcon
Value:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe, 1
(PID) Process:(616) magicline4nx_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTSMagicLineNP
Operation:writeName:URL Protocol
Value:
Executable files
30
Suspicious files
13
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conftext
MD5:7015B31843A75675CBF45D0AFDB87976
SHA256:FC6A79FA5C0B88C6BBEEBAD76E3BE275AD61F27F02F34DC8F81061755D0FEAAF
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\System.dllexecutable
MD5:4D3B19A81BD51F8CE44B93643A4E3A99
SHA256:FDA0018AB182AC6025D2FC9A2EFCCE3745D1DA21CE5141859F8286CF319A52CE
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.derbinary
MD5:A08FA0A2A07CD45108D83F1E1E5396F6
SHA256:21D87B0EAA08925FC728CAF929A10A4C86602008204CCC7CE0760F70CB37792B
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmacbinary
MD5:C2783D7948923F518D2944AF4CB8534D
SHA256:1FEE1E73E51D59E8FA7923BC283F167A026DCE980EE07C12584F076CC50276E9
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\nsProcess.dllexecutable
MD5:FAA7F034B38E729A983965C04CC70FC1
SHA256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exeexecutable
MD5:8EDBD33B965B5D1C22DB0E722117D270
SHA256:EB04889EA50970D7681C7941EB7ED2480FB79FE67B54B010C2B5D8A7F3A568C2
616magicline4nx_setup.exeC:\Users\admin\AppData\Local\Temp\nsaBAFD.tmp\NsisUtil.dllexecutable
MD5:59541B9DA3C09F318A58BEF52C9FF131
SHA256:74A542EF3BBE0673453286DFEB335C1D7BDE4E601C932A3D0D04C85EB098BB47
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.derbinary
MD5:F1A2A050DB09D9BF775679DAF9930AC1
SHA256:91EC941FF2DF1A0B67D740FBBBE22315CA32AEC307DA3E01145B0874281EDD57
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.initext
MD5:A8E649082B174EBC810DD565F02EBFF1
SHA256:CD3EC7C1CC5515839299A00E2D172564939D39C52FF2DADBEDACB3C0CB8E3BBC
616magicline4nx_setup.exeC:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmpimage
MD5:3BB4FFA8BB18643FE0CB306243827990
SHA256:04C6BFDBAF078D637D9233786FB410103BBD50558BEA5C7C6D9411D58EDBBC55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
57
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
696
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4032
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
824
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
th.bing.com
  • 104.126.37.131
  • 104.126.37.145
whitelisted
www.dreamsecurity.com
  • 14.32.171.72
unknown

Threats

No threats detected
Process
Message
magicline4nx_setup.exe
ExecShellAsUser: DLL_PROCESS_ATTACH
magicline4nx_setup.exe
ExecShellAsUser: got desktop
magicline4nx_setup.exe
ExecShellAsUser: elevated process detected
MagicLine4NX.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
MagicLine4NXServices.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
MagicLine4NXServices.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
magicline4nx_setup.exe
ExecShellAsUser: NSPIM_UNLOAD wait...
magicline4nx_setup.exe
ExecShellAsUser: thread finished
magicline4nx_setup.exe
ExecShellAsUser: NSPIM_UNLOAD
magicline4nx_setup.exe
ExecShellAsUser: DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
magicline4nx_setup.exe