File name:

line-9.2.0.3402-installer_9Cor-k1.exe

Full analysis: https://app.any.run/tasks/894e666f-771c-4d6d-90fa-e2ed88f7dbd2
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 07:02:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
netreactor
miner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0EDAEE326C15B375FD3A1B0E6AB058D4

SHA1:

A1C88A3C233058EC086251B27D82A8264EFD6908

SHA256:

977A81C4DA0471117319191CB8B3EDB7A6F2A9ADC23A460B6C60692E44F724F1

SSDEEP:

49152:/7HecD4dnbibBlw2zWoFgvKCINKfiqs68YQAiAcVSW0nKWPOUvb9ikm8eEEVlwqM:T+cD4dn1DoKyCINK/9QAYR0lj9djeEke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 6364)
      • rsEngineSvc.exe (PID: 6132)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 6188)
      • LINE.exe (PID: 4076)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6608)
      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6712)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • jxn0s4w3.exe (PID: 6424)
      • UnifiedStub-installer.exe (PID: 6364)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Executable content was dropped or overwritten

      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6608)
      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6712)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • jxn0s4w3.exe (PID: 6424)
      • UnifiedStub-installer.exe (PID: 6364)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Reads the date of Windows installation

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6628)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • rsEDRSvc.exe (PID: 1920)
      • rsEngineSvc.exe (PID: 6132)
      • LineLauncher.exe (PID: 5956)
      • LineUpdater.exe (PID: 1168)
      • LineLauncher.exe (PID: 252)

    • Reads security settings of Internet Explorer

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6628)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 5704)
      • rsEngineSvc.exe (PID: 6712)
      • rsEDRSvc.exe (PID: 1432)
      • LineLauncher.exe (PID: 5956)
      • rsEngineSvc.exe (PID: 6132)
      • LINE.exe (PID: 6796)
      • LineUpdater.exe (PID: 1168)
      • LineLauncher.exe (PID: 252)

    • Reads the Windows owner or organization settings

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)

    • Process drops legitimate windows executable

      • jxn0s4w3.exe (PID: 6424)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 6364)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 6364)
      • line-9.2.0.3402-installer.exe (PID: 2660)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 740)
      • rsWSC.exe (PID: 4644)
      • rsClientSvc.exe (PID: 7012)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)
      • WmiApSrv.exe (PID: 4076)

    • The process creates files with name similar to system file names

      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)

    • Executes application which crashes

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)

    • The process drops C-runtime libraries

      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • line-9.2.0.3402-installer.exe (PID: 2660)

    • Reads the BIOS version

      • LineAppMgr.exe (PID: 1432)
      • rsEDRSvc.exe (PID: 1920)
      • rsEngineSvc.exe (PID: 6132)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 6364)

    • Checks Windows Trust Settings

      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 5704)
      • rsEngineSvc.exe (PID: 6712)
      • rsEDRSvc.exe (PID: 1432)
      • rsWSC.exe (PID: 4644)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)
      • LINE.exe (PID: 6796)
      • LineUpdater.exe (PID: 1168)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 6364)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 6364)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 6364)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 6364)
      • rundll32.exe (PID: 6188)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 6364)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 6364)

    • Dropped object may contain URLs of mainers pools

      • rsEngineSvc.exe (PID: 6132)

    • Application launched itself

      • rsAppUI.exe (PID: 5744)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 6132)

    • Changes Internet Explorer settings (feature browser emulation)

      • LineLauncher.exe (PID: 5956)
      • LineLauncher.exe (PID: 252)
      • LINE.exe (PID: 4076)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 1920)

    • Detected use of alternative data streams (AltDS)

      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • There is functionality for taking screenshot (YARA)

      • rsHelper.exe (PID: 4672)

  • INFO

    • Checks supported languages

      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6608)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6628)
      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6712)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • jxn0s4w3.exe (PID: 6424)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsSyncSvc.exe (PID: 6580)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • rsSyncSvc.exe (PID: 740)
      • LineAppMgr.exe (PID: 1432)
      • rsWSC.exe (PID: 5704)
      • rsWSC.exe (PID: 4644)
      • rsClientSvc.exe (PID: 5124)
      • rsClientSvc.exe (PID: 7012)
      • rsEngineSvc.exe (PID: 6712)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1432)
      • rsHelper.exe (PID: 4672)
      • rsEDRSvc.exe (PID: 1920)
      • EPP.exe (PID: 5000)
      • rsAppUI.exe (PID: 5744)
      • rsAppUI.exe (PID: 3672)
      • rsAppUI.exe (PID: 7128)
      • rsAppUI.exe (PID: 568)
      • rsLitmus.A.exe (PID: 4936)
      • LineLauncher.exe (PID: 5956)
      • LINE.exe (PID: 6796)
      • rsAppUI.exe (PID: 6456)
      • LineUpdater.exe (PID: 1168)
      • LineLauncher.exe (PID: 252)
      • LINE.exe (PID: 4076)

    • Reads the computer name

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6628)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsSyncSvc.exe (PID: 6580)
      • rsSyncSvc.exe (PID: 740)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • LineAppMgr.exe (PID: 1432)
      • rsWSC.exe (PID: 5704)
      • rsWSC.exe (PID: 4644)
      • rsClientSvc.exe (PID: 5124)
      • rsClientSvc.exe (PID: 7012)
      • rsEngineSvc.exe (PID: 6712)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)
      • rsHelper.exe (PID: 4672)
      • rsEDRSvc.exe (PID: 1432)
      • rsAppUI.exe (PID: 5744)
      • rsAppUI.exe (PID: 7128)
      • rsAppUI.exe (PID: 3672)
      • LineLauncher.exe (PID: 5956)
      • LineUpdater.exe (PID: 1168)
      • LINE.exe (PID: 6796)
      • LineLauncher.exe (PID: 252)
      • LINE.exe (PID: 4076)

    • Process checks computer location settings

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6628)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • rsAppUI.exe (PID: 5744)
      • rsAppUI.exe (PID: 568)
      • LineLauncher.exe (PID: 5956)
      • rsAppUI.exe (PID: 6456)
      • LineUpdater.exe (PID: 1168)
      • LineLauncher.exe (PID: 252)

    • Create files in a temporary directory

      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6712)
      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • jxn0s4w3.exe (PID: 6424)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)
      • line-9.2.0.3402-installer_9Cor-k1.exe (PID: 6608)
      • rsAppUI.exe (PID: 5744)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Reads the machine GUID from the registry

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 5704)
      • rsWSC.exe (PID: 4644)
      • rsEngineSvc.exe (PID: 6712)
      • rsEngineSvc.exe (PID: 6132)
      • rsHelper.exe (PID: 4672)
      • rsEDRSvc.exe (PID: 1432)
      • rsEDRSvc.exe (PID: 1920)
      • rsAppUI.exe (PID: 5744)
      • LineLauncher.exe (PID: 5956)
      • LINE.exe (PID: 6796)
      • LineLauncher.exe (PID: 252)
      • LineUpdater.exe (PID: 1168)
      • LINE.exe (PID: 4076)

    • Reads the software policy settings

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • WerFault.exe (PID: 7000)
      • WerFault.exe (PID: 3728)
      • rsWSC.exe (PID: 5704)
      • rsEngineSvc.exe (PID: 6712)
      • rsEDRSvc.exe (PID: 1432)
      • rsEngineSvc.exe (PID: 6132)
      • rsWSC.exe (PID: 4644)
      • rsEDRSvc.exe (PID: 1920)
      • LINE.exe (PID: 6796)
      • LineUpdater.exe (PID: 1168)

    • Checks proxy server information

      • line-9.2.0.3402-installer_9Cor-k1.tmp (PID: 6740)
      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • WerFault.exe (PID: 3728)
      • WerFault.exe (PID: 7000)
      • rsWSC.exe (PID: 5704)
      • rsAppUI.exe (PID: 5744)
      • LINE.exe (PID: 6796)

    • Disables trace logs

      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)

    • Reads Environment values

      • component0.exe (PID: 6148)
      • UnifiedStub-installer.exe (PID: 6364)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)
      • rsAppUI.exe (PID: 5744)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 5704)
      • rsEngineSvc.exe (PID: 6712)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1432)
      • rsEDRSvc.exe (PID: 1920)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3728)
      • WerFault.exe (PID: 7000)
      • line-9.2.0.3402-installer.exe (PID: 2660)
      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 5704)
      • rsEngineSvc.exe (PID: 6132)
      • rsAppUI.exe (PID: 5744)
      • LineLauncher.exe (PID: 5956)
      • LINE.exe (PID: 6796)
      • LineLauncher.exe (PID: 252)
      • rsAppUI.exe (PID: 7128)
      • LineUpdater.exe (PID: 1168)
      • LINE.exe (PID: 4076)

    • Dropped object may contain TOR URL's

      • line-9.2.0.3402-installer.exe (PID: 2660)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 6364)
      • rsWSC.exe (PID: 4644)
      • rsEngineSvc.exe (PID: 6132)
      • rsHelper.exe (PID: 4672)
      • rsEDRSvc.exe (PID: 1920)

    • Process checks whether UAC notifications are on

      • LineAppMgr.exe (PID: 1432)
      • LINE.exe (PID: 6796)
      • LINE.exe (PID: 4076)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 6376)

    • Reads the time zone

      • runonce.exe (PID: 6376)
      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)

    • Reads product name

      • rsEDRSvc.exe (PID: 1920)
      • rsEngineSvc.exe (PID: 6132)
      • rsAppUI.exe (PID: 5744)

    • Reads CPU info

      • rsEngineSvc.exe (PID: 6132)
      • rsEDRSvc.exe (PID: 1920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 423.56.98.8907
ProductVersionNumber: 423.56.98.8907
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Softonic International SA
FileVersion: 423.56.98.8907
LegalCopyright: ©2023 Softonic International SA
OriginalFileName:
ProductName: Softonic International SA
ProductVersion: 3.1.5.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
47
Malicious processes
12
Suspicious processes
5

Behavior graph

Click at the process to see the details
start line-9.2.0.3402-installer_9cor-k1.exe line-9.2.0.3402-installer_9cor-k1.tmp no specs line-9.2.0.3402-installer_9cor-k1.exe line-9.2.0.3402-installer_9cor-k1.tmp component0.exe jxn0s4w3.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs line-9.2.0.3402-installer.exe werfault.exe werfault.exe lineappmgr.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe THREAT rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe THREAT rshelper.exe no specs rsedrsvc.exe no specs THREAT rsedrsvc.exe epp.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs linelauncher.exe no specs rsappui.exe no specs rslitmus.a.exe no specs conhost.exe no specs line.exe lineupdater.exe linelauncher.exe no specs line.exe

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Users\admin\AppData\Local\LINE\bin\LineLauncher.exe" --updated 9.2.0.3402C:\Users\admin\AppData\Local\LINE\bin\LineLauncher.exeLineUpdater.exe
User:
admin
Company:
LY Corporation
Integrity Level:
HIGH
Description:
LINE
Exit code:
0
Version:
1.0.0.23
Modules
Images
c:\users\admin\appdata\local\line\bin\linelauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exefltMC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
568"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2320 --field-trial-handle=1728,i,5575232025597184243,359035936259713644,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exersAppUI.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
LOW
Description:
ReasonLabs Application
Version:
1.4.2
Modules
Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
740"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Security Synchronize Service
Version:
1.8.5.0
Modules
Images
c:\program files\reasonlabs\common\rssyncsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1168C:\Users\admin\AppData\Local/LINE//bin/LineUpdater.exe --deploy 9.2.0.3402 en-US real 0C:\Users\admin\AppData\Local\LINE\bin\LineUpdater.exe
LINE.exe
User:
admin
Company:
LY Corporation
Integrity Level:
HIGH
Description:
LineUpdater
Exit code:
1
Version:
1.0.1.88
Modules
Images
c:\users\admin\appdata\local\line\bin\lineupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exersLitmus.A.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1432"C:\Users\admin\AppData\Local\LINE\bin\9.2.0.3402\LineAppMgr.exe" -afterinstallC:\Users\admin\AppData\Local\LINE\bin\9.2.0.3402\LineAppMgr.exeline-9.2.0.3402-installer.exe
User:
admin
Company:
LY Corporation
Integrity Level:
HIGH
Description:
LINE
Exit code:
0
Version:
8.4.0.3014
Modules
Images
c:\users\admin\appdata\local\line\bin\9.2.0.3402\lineappmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1432"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
HIGH
Description:
Reason EDR Service
Exit code:
0
Version:
2.2.0
Modules
Images
c:\program files\reasonlabs\edr\rsedrsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1920"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
services.exe
User:
SYSTEM
Company:
Reason Cybersecurity Ltd.
Integrity Level:
SYSTEM
Description:
Reason EDR Service
Version:
2.2.0
Modules
Images
c:\program files\reasonlabs\edr\rsedrsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2660"C:\Users\admin\Downloads\line-9.2.0.3402-installer.exe" C:\Users\admin\Downloads\line-9.2.0.3402-installer.exe
line-9.2.0.3402-installer_9Cor-k1.tmp
User:
admin
Company:
LY Corporation
Integrity Level:
HIGH
Description:
LINE
Exit code:
0
Version:
9.2.0.3402
Modules
Images
c:\users\admin\downloads\line-9.2.0.3402-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
86 996
Read events
86 627
Write events
293
Delete events
76

Modification events

(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
541A000029CC305661F4DA01
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
C85390025553B7600BD3517EF9F399542169FFFCF57FC703B4A1D3EE7C035B31
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6740) line-9.2.0.3402-installer_9Cor-k1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6148) component0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6148) component0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6148) component0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
668
Suspicious files
189
Text files
78
Unknown types
15

Dropped files

PID
Process
Filename
Type
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\is-FJUG0.tmp
MD5:
SHA256:
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\line-9.2.0.3402-installer.exe
MD5:
SHA256:
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\Downloads\line-9.2.0.3402-installer.exe
MD5:
SHA256:
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6608line-9.2.0.3402-installer_9Cor-k1.exeC:\Users\admin\AppData\Local\Temp\is-PO9T5.tmp\line-9.2.0.3402-installer_9Cor-k1.tmpexecutable
MD5:62ED5886215FEDD237C3BDE6018DA87A
SHA256:6ED54B13A42F8B404B30DF8FFFEED451F5E9CBC157AD7396AAB42FAB1F9484F8
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\RAV_Cross.pngimage
MD5:4167C79312B27C8002CBEEA023FE8CB5
SHA256:C3BF350627B842BED55E6A72AB53DA15719B4F33C267A6A132CB99FF6AFE3CD8
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\Y.pngimage
MD5:C199687E52F7393C941A143B45D78207
SHA256:0EB767424750B6F8C22AE5EBB105C5C37B3A047EED986FFA6DEBA53EFDC2142E
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\is-3NB4N.tmpimage
MD5:E617B117EBEE2A8E18F1155A4FFEC362
SHA256:8D66B9A9BC61EC8E4D1F563C6C291B3A1BC67C8936770537FE84771945390E83
6712line-9.2.0.3402-installer_9Cor-k1.exeC:\Users\admin\AppData\Local\Temp\is-Q4GJ3.tmp\line-9.2.0.3402-installer_9Cor-k1.tmpexecutable
MD5:62ED5886215FEDD237C3BDE6018DA87A
SHA256:6ED54B13A42F8B404B30DF8FFFEED451F5E9CBC157AD7396AAB42FAB1F9484F8
6740line-9.2.0.3402-installer_9Cor-k1.tmpC:\Users\admin\AppData\Local\Temp\is-8R5NP.tmp\is-78EIL.tmpexecutable
MD5:A0E3C2715406FE039A93E6B29AC55787
SHA256:341D143BD8EF27FA9376165E163D0A4C7CE053D6043263B3102D708F08111CBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
100
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
888
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
304
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6696
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAEllBL0tvuy4gAAAAAAAQ%3D
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ0NE46krjtIffEj0l00lckKsLufgQUJEWZoXeQKnzDyoOwbmQWhCr4LGcCEzMAAVks49Nwjyk%2BFSMAAAABWSw%3D
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ0NE46krjtIffEj0l00lckKsLufgQUJEWZoXeQKnzDyoOwbmQWhCr4LGcCEzMAAVks49Nwjyk%2BFSMAAAABWSw%3D
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl
unknown
whitelisted
6364
UnifiedStub-installer.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20CS%20AOC%20CA%2002.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2088
svchost.exe
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
4876
RUXIMICS.exe
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2120
MoUsoCoreWorker.exe
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2088
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6740
line-9.2.0.3402-installer_9Cor-k1.tmp
54.239.192.117:443
d25qho5rs4tpl0.cloudfront.net
AMAZON-02
US
unknown
6740
line-9.2.0.3402-installer_9Cor-k1.tmp
151.101.193.91:443
images.sftcdn.net
FASTLY
US
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6740
line-9.2.0.3402-installer_9Cor-k1.tmp
199.232.194.133:443
gsf-fl.softonic.com
FASTLY
US
unknown
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.183.220.149
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
d25qho5rs4tpl0.cloudfront.net
  • 54.239.192.117
  • 54.239.192.135
  • 54.239.192.50
  • 54.239.192.189
whitelisted
images.sftcdn.net
  • 151.101.193.91
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
whitelisted
gsf-fl.softonic.com
  • 199.232.194.133
  • 199.232.198.133
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.140
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
Process
Message
rsEngineSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
rsEDRSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
LINE.exe
[MODULE_VALIDATOR] module open failed : "C:/Users/admin/AppData/Local/LINE/bin/9.2.0.3402/WtsApi32.dll"
LINE.exe
[MODULE_VALIDATOR] moduleName : "WtsApi32.dll" 0
LINE.exe
[MODULE_VALIDATOR] module open failed : "C:/Users/admin/AppData/Local/LINE/bin/WtsApi32.dll"
LINE.exe
[MODULE_VALIDATOR] moduleName : "WtsApi32.dll" 0
LINE.exe
[MODULE_VALIDATOR] module open failed : "C:/Users/admin/AppData/Local/LINE/bin/9.2.0.3402/rpcrt4.dll"
LINE.exe
[MODULE_VALIDATOR] moduleName : "rpcrt4.dll" 0
LINE.exe
[MODULE_VALIDATOR] module open failed : "C:/Users/admin/AppData/Local/LINE/bin/rpcrt4.dll"
LINE.exe
[MODULE_VALIDATOR] moduleName : "rpcrt4.dll" 0
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
line-9.2.0.3402-installer_9Cor-k1.exe