Edit tour

Windows Analysis Report
magicline4nx_setup.exe

Overview

General Information

Sample Name:	magicline4nx_setup.exe
Analysis ID:	755310
MD5:	7cec32c04fdae116ab0f7f4fd8372abd
SHA1:	8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:	aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
Infos:

Detection

GuLoader, UACMe

Score:	90
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Detected unpacking (changes PE section rights)

Yara detected GuLoader

Yara detected UACMe UAC Bypass tool

Uses netsh to modify the Windows network and firewall settings

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to evade debugger and weak emulator (self modifying code)

DLL side loading technique detected

Modifies Internet Explorer zone settings

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Hides threads from debuggers

Overwrites Mozilla Firefox settings

Installs new ROOT certificates

Changes security center settings (notifications, updates, antivirus, firewall)

Modifies the windows firewall

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

EXE planting / hijacking vulnerabilities found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Checks for debuggers (devices)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Enables debug privileges

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains capabilities to detect virtual machines

Uses taskkill to terminate processes

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64_ra

magicline4nx_setup.exe (PID: 5736 cmdline: C:\Users\user\Desktop\magicline4nx_setup.exe MD5: 7CEC32C04FDAE116AB0F7F4FD8372ABD)

cmd.exe (PID: 6204 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe MD5: 4943BA1A9B41D69643F69685E35B2943)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 6260 cmdline: taskkill /f /im NTSMagicLineNP.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

sc.exe (PID: 6288 cmdline: sc stop MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

sc.exe (PID: 6380 cmdline: sc delete MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cmd.exe (PID: 6436 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe MD5: 4943BA1A9B41D69643F69685E35B2943)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 6484 cmdline: taskkill /f /im MagicLine4NX.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

certmgr.exe (PID: 6512 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root MD5: 3A73031809C7DC0BB9BCE2F366345101)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cscript.exe (PID: 6564 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6652 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6712 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cscript.exe (PID: 6820 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6908 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 7088 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 6480 cmdline: netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" MD5: 718A726FCC5EFCE3529E7A244D87F13F)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 6540 cmdline: netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes MD5: 718A726FCC5EFCE3529E7A244D87F13F)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

CheckNetIsolation.exe (PID: 6668 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

CheckNetIsolation.exe (PID: 6732 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

MagicLine4NX.exe (PID: 5700 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe MD5: A98F6351876129FED4A6CA7DB7CBD721)

MagicLine4NXServices.exe (PID: 6760 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

sc.exe (PID: 1156 cmdline: sc start MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

svchost.exe (PID: 5992 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6936 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)

SgrmBroker.exe (PID: 7040 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: C51AA0BB954EA45E85572E6CC29BA6F4)

svchost.exe (PID: 7068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6272 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6348 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 9520A99E77D6196D0D09833146424113)

MagicLine4NXServices.exe (PID: 1936 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e020:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e020:$c1: Elevation:Administrator!new: 0x1a44f8:$c1: Elevation:Administrator!new:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1820:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1820:$c1: Elevation:Administrator!new: 0x7cf8:$c1: Elevation:Administrator!new:
0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e040:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e040:$c1: Elevation:Administrator!new: 0x1a4518:$c1: Elevation:Administrator!new:
0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x14bde0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x14bde0:$c1: Elevation:Administrator!new:
0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x242de0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x242de0:$c1: Elevation:Administrator!new:
0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: magicline4nx_setup.exe PID: 5736	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: MagicLine4NX.exe PID: 5700	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
43.2.MagicLine4NX.exe.6df70000.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e020:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e020:$c1: Elevation:Administrator!new: 0x1a44f8:$c1: Elevation:Administrator!new:
43.2.MagicLine4NX.exe.6df70000.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Code function: 13_2_00221829 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Code function: 13_2_00221A91 strtok,strtok,strtok,SetLastError,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCRLContextProperty,CertSetCRLContextProperty,CertSetCRLContextProperty,CertEnumCertificatesInStore,CertFreeCertificateContext,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E019960 legacy_SetCryptFunctions,

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 43.2.MagicLine4NX.exe.6df70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MagicLine4NX.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, type: DROPPED

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: cscript.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: netsh.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: sc.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: CheckNetIsolation.exe

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: cscript.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: netsh.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: sc.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: CheckNetIsolation.exe

Uses 32bit PE files

Source: magicline4nx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates install or setup log file

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log

Jump to behavior

PE / OLE file has a valid certificate

Source: magicline4nx_setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: magicline4nx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: CertMgr.pdb source: certmgr.exe, certmgr.exe, 0000000D.00000000.1265517894.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe, 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\MagicLineNXServices\lib\Win32\Release\MagicLine4NXServices.pdb source: MagicLine4NXServices.exe, 0000002C.00000003.1486510887.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1498312164.0000000000771000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdbfk7RCMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgN8 source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\01.MagicAPI\DSToolkitV3\proj\vs2008\bin32\DSCToolkitV30-v3.4.2.20.pdb source: MagicLine4NX.exe, 0000002B.00000003.1521469654.0000000005DF8000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2523885578.000000006E490000.00000002.00000001.01000000.0000001D.sdmp, DSCToolkitV30-v3.4.2.20.dll.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\LocalServerNTS\NTSMagicLineNP\NTSMagicLineNP\lib\Win32\Release\MagicLine4NX.pdb source: MagicLine4NX.exe, 0000002B.00000002.2445190032.0000000000A9F000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20221128_142248_759.etl.34.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdb source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\libeay32.pdb source: libeay32.dll.0.dr

Spreading

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD673 FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F393 FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E159CF0 __mbsinc,FindFirstFileA,GetLastError,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17300F FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1952CD FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282291 FindFirstFileExA,

Networking

Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: magicline4nx_setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: magicline4nx_setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: certmgr.exe, 0000000D.00000002.1270248784.000000000109D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: certmgr.exe, 0000000D.00000002.1270248784.000000000109D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ids.smartcert.kr
Source: magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cert9.db.30.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: magicline4nx_setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: magicline4nx_setup.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pcro.mobilesign.net/mini_cert_install.html
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rootca.kisa.or.kr/kor/hsm/hsm.jsp
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 0000001B.00000002.1458155402.00000168B2013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: magicline4nx_setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: nspr4.dll.0.dr, plds4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 00000011.00000002.1304484929.000000006E14C000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000013.00000002.1320842301.000000006E19C000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000018.00000002.1354269108.000000006E1BC000.00000002.00000001.01000000.00000013.sdmp, plds4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/(
Source: libplds4.dll.0.dr, libnspr4.dll.0.dr, libplc4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: certutil.exe, 00000011.00000002.1304886701.000000006E19A000.00000002.00000001.01000000.00000014.sdmp, certutil.exe, 00000013.00000002.1320516598.000000006E17A000.00000002.00000001.01000000.00000014.sdmp, nspr4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: MagicLine4NX.exe, 0000002B.00000002.2487204433.000000000616E000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2482809862.000000000603E000.00000002.00000001.01000000.00000022.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/V
Source: MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ubikey.co.kr/infovine/download.html
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp, CDPGlobalSettings.cdp.2.dr	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.comds
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1461738208.00000168B2074000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000001B.00000002.1459496867.00000168B2042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460652418.00000168B2063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.1451838018.00000168B204D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1453797692.00000168B205E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mobi.yessign.or.kr/mobisignInstall.htm
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara
Source: svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000001B.00000002.1459384486.00000168B203F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000001B.00000003.1456789529.00000168B206D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451717440.00000168B206C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, magicline4nx_setup.exe, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E15AFD0 recvfrom,WSAGetLastError,select,select,recvfrom,WSAGetLastError,

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.der			Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der			Jump to dropped file

System Summary

PE file contains section with special chars

Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1DE0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF9AD80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7570
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBA560
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2549
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBED20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA4D10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCE4F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6450
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF93C40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0400
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCF7F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD47F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA9F50
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0F30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5F15
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6710
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2F10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5717
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA56F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCDEE6
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA4E80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFC5670
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA0E60
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1650
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD2640
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6E30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0630
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFB8E20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCDE20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBA1C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCD9C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD49A0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFC4160
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7130
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFE1935
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD3110
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0110
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA60D0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA30C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCC870
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF93060
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5041
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0810
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA1800
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBC000
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFABBD0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1BD0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD23C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD4BA0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD6375
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5377
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA8360
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2350
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5B27
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFB3320
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6B10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBB2B0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD2A80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7A40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA5210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCF210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E023E60
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E022F00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E014410
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E01AA70
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0152F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E034118
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E01A180
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E021180
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0161C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0AFC00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E070C10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E08CC30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15EE40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E161EC7
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16EFB2
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14BFC0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E161C9F
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14BB90
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E174BBA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17885A
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14A910
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15C970
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14E7B0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E164418
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E154430
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E149210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1663D0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16F0DF
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E19A8B8
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E284E40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E206C50
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E210890
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27C794
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1DA590
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1E0310
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E22C340
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1E43E0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1D5E00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1DDE70
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E287E8C
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E287FB9

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: httptx.dll
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: ssleay32.dll
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: libeay32.dll

Uses 32bit PE files

Source: magicline4nx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 43.2.MagicLine4NX.exe.6df70000.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, type: DROPPED	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E1F1590 appears 39 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E158FE0 appears 31 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E14CFF0 appears 42 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E15E6E0 appears 39 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E026580 appears 35 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E143E80 appears 56 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

Source: MagicLine4NX.exe.0.dr	Static PE information: Section: pnesegkq ZLIB complexity 0.9936557897361153
Source: MagicLine4NX.exe.0.dr	Static PE information: Section: oygmmjtk ZLIB complexity 1.021484375
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0002202994890235
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: yqheebrs ZLIB complexity 0.9939886508819651
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: intuqfii ZLIB complexity 1.021484375

Source: magicline4nx_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
Source: MagicLine4NX.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX

Jump to behavior

Source: classification engine

Classification label: mal90.phis.troj.spyw.expl.evad.winEXE@66/58@0/1

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158150 MapViewOfFile,GetLastError,FormatMessageA,GetLastError,

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Program Files (x86)\DreamSecurity

Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File read: C:\Users\user\Desktop\magicline4nx_setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\magicline4nx_setup.exe C:\Users\user\Desktop\magicline4nx_setup.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "NTSMagicLineNP.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MagicLine4NX.exe")

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsi7880.tmp

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DF91120 GlobalMemoryStatus,GetLogicalDrives,GetComputerNameA,GetCurrentProcess,GetCurrentProcessId,GetCurrentThreadId,GetVolumeInformationA,GetDiskFreeSpaceA,

Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, 0000001E.00000003.1374967152.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375631766.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1380446029.00000000015D4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371252459.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1373372397.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1374664130.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001E.00000003.1376833795.0000000001550000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1377756336.0000000001553000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 0000001E.00000003.1377708586.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375917887.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372903585.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371011223.000000000159B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375126215.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;ION=5507ProgramData=C:\
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;T
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 00000013.00000003.1314265380.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1317206279.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1313534896.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1312561794.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1314508844.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1315248578.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1315435474.0000000000A58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;e4NX\cert\plc4.dll
Source: certutil.exe, 0000001E.00000003.1377708586.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375917887.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372903585.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371011223.000000000159B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375126215.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;S
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:304:WilStaging_02

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File written: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: magicline4nx_setup.exe

Static file information: File size 10774328 > 1048576

PE / OLE file has a valid certificate

Source: magicline4nx_setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: magicline4nx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: CertMgr.pdb source: certmgr.exe, certmgr.exe, 0000000D.00000000.1265517894.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe, 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\MagicLineNXServices\lib\Win32\Release\MagicLine4NXServices.pdb source: MagicLine4NXServices.exe, 0000002C.00000003.1486510887.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1498312164.0000000000771000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdbfk7RCMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgN8 source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\01.MagicAPI\DSToolkitV3\proj\vs2008\bin32\DSCToolkitV30-v3.4.2.20.pdb source: MagicLine4NX.exe, 0000002B.00000003.1521469654.0000000005DF8000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2523885578.000000006E490000.00000002.00000001.01000000.0000001D.sdmp, DSCToolkitV30-v3.4.2.20.dll.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\LocalServerNTS\NTSMagicLineNP\NTSMagicLineNP\lib\Win32\Release\MagicLine4NX.pdb source: MagicLine4NX.exe, 0000002B.00000002.2445190032.0000000000A9F000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20221128_142248_759.etl.34.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdb source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\libeay32.pdb source: libeay32.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Unpacked PE file: 43.2.MagicLine4NX.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pnesegkq:EW;oygmmjtk:EW; vs :ER;.rsrc:W;f::W; :EW;pnesegkq:EW;oygmmjtk:EW;
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Unpacked PE file: 44.2.MagicLine4NXServices.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yqheebrs:EW;intuqfii:EW; vs :ER;.rsrc:W;W:W; :EW;yqheebrs:EW;intuqfii:EW;

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: magicline4nx_setup.exe PID: 5736, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD9536 push ecx; ret
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0265C6 push ecx; ret
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15E726 push ecx; ret
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E192436 push ecx; ret

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

PE file contains sections with non-standard names

Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: pnesegkq
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: oygmmjtk
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: yqheebrs
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: intuqfii

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: oygmmjtk

PE file contains an invalid checksum

Source: libeay32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x128361
Source: libplds4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xecc0
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x773f
Source: NsisUtil.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x117e5
Source: libplc4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xfc66
Source: nsldap32v50.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2490d
Source: nssdbm3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d5b9
Source: smime3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x31fee
Source: certutil.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3f02c
Source: MagicCrypto32V21.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x68cbe
Source: nssutil3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3fedb
Source: freebl3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x70c11
Source: plc4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x18993
Source: version.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6c99
Source: MagicLine4NX_Uninstall.exe.0.dr	Static PE information: real checksum: 0xa4d58e should be: 0x24b0e
Source: ssleay32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x42eba
Source: nsExec.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x42dc
Source: KillProcDLL.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xad9e
Source: softokn3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3ee84
Source: nspr4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x52d80
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9f03d
Source: libnspr4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3b16e
Source: DumpLog.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xcb85
Source: nss3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xe6abb
Source: plds4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x16b3d

Source: initial sample	Static PE information: section name: pnesegkq entropy: 7.955837403140946
Source: initial sample	Static PE information: section name: oygmmjtk entropy: 7.238849092285538
Source: initial sample	Static PE information: section name: entropy: 7.985957605567069
Source: initial sample	Static PE information: section name: yqheebrs entropy: 7.955595621686765
Source: initial sample	Static PE information: section name: intuqfii entropy: 7.263983528026377

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0BAFEC00CC085C92F94FD1F2DECA2374C72EFFDA Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\MagicLine4NX.lnk	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\Uninstall.lnk	Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_USERS.DEFAULT\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 00000000008D991D instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 00000000008D99C2 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000D45584 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000D45A76 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000BB9E00 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000A4EEA4 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000A56696 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000AC9B24 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000DC496B instructions caused by: Self-modifying code

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED44 second address: 0000000000D0ED4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED4D second address: 0000000000D0ED53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED53 second address: 0000000000D0ED74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4BEC76D8D0h 0x0000000b jmp 00007F4BEC76D8C4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED74 second address: 0000000000D0ED85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jp 00007F4BEC3895D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D20AB0 second address: 0000000000D20AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2115B second address: 0000000000D21169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F4BEC3895D6h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24091 second address: 0000000000D240BD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BEC76D8BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add ecx, 1EA912FAh 0x00000013 push 00000000h 0x00000015 mov edx, 01049759h 0x0000001a mov esi, edx 0x0000001c push FFEEB69Fh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D240BD second address: 0000000000D240C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D240C1 second address: 0000000000D2410F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b add dword ptr [esp], 001149E1h 0x00000012 mov esi, dword ptr [ebp+120B3AF5h] 0x00000018 push 00000003h 0x0000001a mov edx, 70E684E2h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 mov ecx, dword ptr [ebp+120B1AC8h] 0x00000028 pop ecx 0x00000029 push 00000003h 0x0000002b mov dh, 15h 0x0000002d push B0457F99h 0x00000032 pushad 0x00000033 pushad 0x00000034 jmp 00007F4BEC76D8C0h 0x00000039 jl 00007F4BEC76D8B6h 0x0000003f popad 0x00000040 push edi 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24196 second address: 0000000000D2420A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jl 00007F4BEC3895E7h 0x00000011 jmp 00007F4BEC3895E1h 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F4BEC3895D8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov cl, D1h 0x00000036 call 00007F4BEC3895D9h 0x0000003b push eax 0x0000003c pushad 0x0000003d je 00007F4BEC3895D6h 0x00000043 jmp 00007F4BEC3895E0h 0x00000048 popad 0x00000049 pop eax 0x0000004a push eax 0x0000004b pushad 0x0000004c jl 00007F4BEC3895DCh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2420A second address: 0000000000D24216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F4BEC76D8B6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2435F second address: 0000000000D2442C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4BEC3895ECh 0x00000008 jmp 00007F4BEC3895E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 js 00007F4BEC3895E0h 0x00000016 nop 0x00000017 mov edi, 00C3469Ch 0x0000001c push 00000000h 0x0000001e movsx esi, ax 0x00000021 mov dword ptr [ebp+120B1C3Fh], esi 0x00000027 push DF7BB84Ch 0x0000002c jnl 00007F4BEC3895DEh 0x00000032 jg 00007F4BEC3895D8h 0x00000038 push edx 0x00000039 pop edx 0x0000003a add dword ptr [esp], 20844834h 0x00000041 push esi 0x00000042 mov dword ptr [ebp+120B19B0h], eax 0x00000048 pop edi 0x00000049 mov dx, ax 0x0000004c push 00000003h 0x0000004e add dword ptr [ebp+120B1BCBh], edi 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+120B1B78h], eax 0x0000005c mov esi, edx 0x0000005e push 00000003h 0x00000060 jmp 00007F4BEC3895DFh 0x00000065 call 00007F4BEC3895D9h 0x0000006a jmp 00007F4BEC3895E3h 0x0000006f push eax 0x00000070 jmp 00007F4BEC3895DBh 0x00000075 mov eax, dword ptr [esp+04h] 0x00000079 jmp 00007F4BEC3895DBh 0x0000007e mov eax, dword ptr [eax] 0x00000080 push eax 0x00000081 push edx 0x00000082 jnc 00007F4BEC3895D8h 0x00000088 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2442C second address: 0000000000D24431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24431 second address: 0000000000D2444C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jp 00007F4BEC3895E0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C31 second address: 0000000000D41C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a jc 00007F4BEC76D8B6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 ja 00007F4BEC76D8B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C4F second address: 0000000000D41C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C5A second address: 0000000000D41C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F4BEC76D8B6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C66 second address: 0000000000D41C6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C20B second address: 0000000000D1C213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C213 second address: 0000000000D1C22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F4BEC3895DCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C22B second address: 0000000000D1C23B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FA96 second address: 0000000000D3FAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAA0 second address: 0000000000D3FAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAA7 second address: 0000000000D3FAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAAD second address: 0000000000D3FAEE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F4BEC76D8B6h 0x0000000f jmp 00007F4BEC76D8BDh 0x00000014 jmp 00007F4BEC76D8C1h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jnp 00007F4BEC76D8C6h 0x00000022 pushad 0x00000023 push esi 0x00000024 pop esi 0x00000025 jns 00007F4BEC76D8B6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FD73 second address: 0000000000D3FD7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4BEC3895D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FD7E second address: 0000000000D3FDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 je 00007F4BEC76D8B6h 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FDA5 second address: 0000000000D3FDAB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEEE second address: 0000000000D3FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEF2 second address: 0000000000D3FEF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEF8 second address: 0000000000D3FF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d jnp 00007F4BEC76D8B6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F4BEC76D8C3h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D400C7 second address: 0000000000D400DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895DAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D400DB second address: 0000000000D400DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008DA074 second address: 00000000008D9963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895E0h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e clc 0x0000000f push dword ptr [ebp+141D0551h] 0x00000015 clc 0x00000016 call dword ptr [ebp+141D1A56h] 0x0000001c pushad 0x0000001d jmp 00007F4BEC3895DAh 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+141D187Dh], ebx 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e jng 00007F4BEC3895ECh 0x00000034 pushad 0x00000035 movzx ecx, bx 0x00000038 popad 0x00000039 mov dword ptr [ebp+141D3893h], eax 0x0000003f sub dword ptr [ebp+141D187Dh], ebx 0x00000045 mov esi, 0000003Ch 0x0000004a add dword ptr [ebp+141D187Dh], ebx 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 mov dword ptr [ebp+141D187Dh], ebx 0x0000005a jmp 00007F4BEC3895E4h 0x0000005f lodsw 0x00000061 cmc 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 cld 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b or dword ptr [ebp+141D1759h], eax 0x00000071 push eax 0x00000072 pushad 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008D9963 second address: 00000000008D996E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008D996E second address: 00000000008D9972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40254 second address: 0000000000D40274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F4BEC76D8C4h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4BEC76D8BCh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40274 second address: 0000000000D40278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40278 second address: 0000000000D4028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F4BEC76D8B6h 0x0000000d jns 00007F4BEC76D8B6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4028E second address: 0000000000D40294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EC0 second address: 0000000000A27EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40294 second address: 0000000000D40298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EC5 second address: 0000000000A27ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40673 second address: 0000000000D40680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27ECB second address: 0000000000A27EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC76D8B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F4BEC76D8B6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40680 second address: 0000000000D4068A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EE2 second address: 0000000000A27EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4068A second address: 0000000000D4068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27176 second address: 0000000000A2717C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D407D0 second address: 0000000000D40805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4BEC3895D6h 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BEC3895DBh 0x00000019 jmp 00007F4BEC3895E6h 0x0000001e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2717C second address: 0000000000A2718D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F4BEC76D8B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40967 second address: 0000000000D40971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2718D second address: 0000000000A27191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40971 second address: 0000000000D40975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27191 second address: 0000000000A27197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40975 second address: 0000000000D4098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jc 00007F4BEC3895D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27197 second address: 0000000000A2719D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40DE8 second address: 0000000000D40E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2719D second address: 0000000000A271A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E01 second address: 0000000000D40E39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E6h 0x00000007 je 00007F4BEC3895DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4BEC3895DFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A271A2 second address: 0000000000A271BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 jnl 00007F4BEC76D8B6h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jnp 00007F4BEC76D8B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E39 second address: 0000000000D40E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895DBh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A271BB second address: 0000000000A271C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E48 second address: 0000000000D40E5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27492 second address: 0000000000A27496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E5E second address: 0000000000D40E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007F4BEC3895D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2760E second address: 0000000000A27614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41ABB second address: 0000000000D41ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41ABF second address: 0000000000D41AC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A4B7 second address: 0000000000A2A4DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BEC3895E2h 0x00000008 jmp 00007F4BEC3895DCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F4BEC3895DCh 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A4DF second address: 0000000000A2A4F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6B3 second address: 0000000000A2A6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6B7 second address: 0000000000A2A6C1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6C1 second address: 0000000000A2A742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 jmp 00007F4BEC3895DDh 0x0000001a pop eax 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F4BEC3895DBh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jnc 00007F4BEC3895E2h 0x0000002c pop eax 0x0000002d pushad 0x0000002e jmp 00007F4BEC3895DFh 0x00000033 mov eax, edi 0x00000035 popad 0x00000036 lea ebx, dword ptr [ebp+1432434Bh] 0x0000003c mov dword ptr [ebp+141D1773h], edx 0x00000042 xchg eax, ebx 0x00000043 jmp 00007F4BEC3895DDh 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459D6 second address: 0000000000D459DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459DD second address: 0000000000D459F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895DFh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A781 second address: 0000000000A2A809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+141D377Fh] 0x0000000d push 00000000h 0x0000000f movsx ecx, ax 0x00000012 push 7B6C4C17h 0x00000017 push edx 0x00000018 push ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ebx 0x0000001c pop edx 0x0000001d xor dword ptr [esp], 7B6C4C97h 0x00000024 mov edi, eax 0x00000026 push 00000003h 0x00000028 jmp 00007F4BEC76D8C1h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+141D193Ch], eax 0x00000035 push 00000003h 0x00000037 xor dword ptr [ebp+141D1B3Eh], edx 0x0000003d call 00007F4BEC76D8C8h 0x00000042 mov dword ptr [ebp+141D23E6h], eax 0x00000048 pop edi 0x00000049 call 00007F4BEC76D8B9h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push edi 0x00000052 pop edi 0x00000053 jmp 00007F4BEC76D8C1h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459F0 second address: 0000000000D459F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A809 second address: 0000000000A2A818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A818 second address: 0000000000A2A856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F4BEC3895E6h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F4BEC3895E0h 0x0000001b ja 00007F4BEC3895D6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A856 second address: 0000000000A2A870 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4BEC76D8B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jc 00007F4BEC76D8C4h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D45C14 second address: 0000000000D45C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A870 second address: 0000000000A2A874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4BF80 second address: 0000000000D4BF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C0F1 second address: 0000000000D4C101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4BEC76D8BEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3C7 second address: 0000000000D4C3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3CC second address: 0000000000D4C3D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3D1 second address: 0000000000D4C405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4BEC3895D6h 0x0000000a ja 00007F4BEC3895D6h 0x00000010 popad 0x00000011 jne 00007F4BEC3895D8h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BEC3895E7h 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C405 second address: 0000000000D4C410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4BEC76D8B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6A0 second address: 0000000000D4C6A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6A4 second address: 0000000000D4C6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6AE second address: 0000000000D4C6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6B2 second address: 0000000000D4C6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C928 second address: 0000000000D4C92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C92E second address: 0000000000D4C932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E1CA second address: 0000000000D4E1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E1CE second address: 0000000000D4E1E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3AE second address: 0000000000D4E3B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3B2 second address: 0000000000D4E3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3BB second address: 0000000000D4E3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F4BEC3895DCh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6B0 second address: 0000000000D4E6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6B7 second address: 0000000000D4E6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6BD second address: 0000000000D4E6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4ED63 second address: 0000000000D4ED67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4ED67 second address: 0000000000D4ED6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D50057 second address: 0000000000D500B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F4BEC3895DEh 0x0000000d jnp 00007F4BEC3895D8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+120B3AD5h] 0x0000001c mov esi, dword ptr [ebp+120B2278h] 0x00000022 push 00000000h 0x00000024 jmp 00007F4BEC3895DDh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F4BEC3895D8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, 77D5641Bh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D500B8 second address: 0000000000D500BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D500BC second address: 0000000000D500D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D53CED second address: 0000000000D53D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC76D8C4h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D53D09 second address: 0000000000D53D83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4BEC3895DBh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F4BEC3895D8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov esi, dword ptr [ebp+120B19B0h] 0x0000002e clc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F4BEC3895D8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b jmp 00007F4BEC3895DDh 0x00000050 or dword ptr [ebp+120B2712h], edi 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b pushad 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5490D second address: 0000000000D54911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54911 second address: 0000000000D54915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D56793 second address: 0000000000D56797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D56797 second address: 0000000000D567C2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4BEC3895E7h 0x0000000f popad 0x00000010 push edx 0x00000011 je 00007F4BEC3895DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D567C2 second address: 0000000000D567CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D567CB second address: 0000000000D567D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58973 second address: 0000000000D58977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58E8B second address: 0000000000D58E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895E0h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58E9F second address: 0000000000D58F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F4BEC76D8B8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007F4BEC76D8C1h 0x00000028 push 00000000h 0x0000002a mov di, 2F21h 0x0000002e push 00000000h 0x00000030 jmp 00007F4BEC76D8C2h 0x00000035 xchg eax, esi 0x00000036 jp 00007F4BEC76D8BEh 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F08 second address: 0000000000D59F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F0C second address: 0000000000D59F2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F2D second address: 0000000000D59F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59FA5 second address: 0000000000D59FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D52FCD second address: 0000000000D52FD7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54622 second address: 0000000000D54626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54626 second address: 0000000000D54638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F4BEC3895E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F5A0 second address: 0000000000D5F5BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F5BC second address: 0000000000D5F648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F4BEC3895D8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+120B3BE5h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F4BEC3895D8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007F4BEC3895D8h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 0000001Ch 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 and edi, dword ptr [ebp+120B1A7Ch] 0x00000068 xchg eax, esi 0x00000069 push ecx 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F648 second address: 0000000000D5F65E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 ja 00007F4BEC76D8C4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F4BEC76D8B6h 0x00000016 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D60702 second address: 0000000000D60708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D60708 second address: 0000000000D6070C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626A4 second address: 0000000000D626A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626A9 second address: 0000000000D626D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4BEC76D8BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626D2 second address: 0000000000D6270E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b pushad 0x0000000c mov si, B16Bh 0x00000010 mov al, 4Ch 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+120B2A0Bh] 0x0000001b xor dword ptr [ebp+120B2A71h], edx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+120B267Bh], esi 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6270E second address: 0000000000D62719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D62719 second address: 0000000000D6274B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4BEC3895E2h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F4BEC3895E5h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D652D7 second address: 0000000000D652DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D652DD second address: 0000000000D652E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC3895DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66277 second address: 0000000000D6627B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6627B second address: 0000000000D66293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66293 second address: 0000000000D66297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66297 second address: 0000000000D662A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D662A6 second address: 0000000000D662AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D662AC second address: 0000000000D662B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6736D second address: 0000000000D6737F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC76D8B8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6737F second address: 0000000000D67383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67383 second address: 0000000000D67396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67396 second address: 0000000000D67418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F4BEC3895D8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push edi 0x00000023 mov edi, dword ptr [ebp+120B1CB5h] 0x00000029 pop ebx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F4BEC3895D8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+120B3C51h] 0x0000004c push 00000000h 0x0000004e mov edi, dword ptr [ebp+120B3D55h] 0x00000054 xchg eax, esi 0x00000055 jnc 00007F4BEC3895E0h 0x0000005b push eax 0x0000005c push ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F4BEC3895E0h 0x00000064 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6829E second address: 0000000000D682AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F4BEC76D8C0h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71D95 second address: 0000000000D71D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71504 second address: 0000000000D7151F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7151F second address: 0000000000D71540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895E7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71540 second address: 0000000000D71544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71544 second address: 0000000000D71557 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71683 second address: 0000000000D7168E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7168E second address: 0000000000D716AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F4BEC3895D6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4BEC3895DEh 0x00000011 jno 00007F4BEC3895D6h 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71950 second address: 0000000000D71956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71956 second address: 0000000000D71966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895DBh 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71966 second address: 0000000000D7197F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BEC76D8C4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7197F second address: 0000000000D719AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895DEh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC3895E8h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D719AE second address: 0000000000D719C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4BEC76D8BDh 0x00000008 pop edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D719C2 second address: 0000000000D719C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D75C46 second address: 0000000000D75C4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5A1A1 second address: 0000000000D5A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5A1A5 second address: 0000000000D5A23B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov dword ptr [ebp+1221B48Dh], ebx 0x00000015 adc ebx, 5B2483DBh 0x0000001b popad 0x0000001c push dword ptr fs:[00000000h] 0x00000023 jg 00007F4BEC76D8BCh 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 sbb di, 6E85h 0x00000035 mov eax, dword ptr [ebp+120B0879h] 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F4BEC76D8B8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 jmp 00007F4BEC76D8C7h 0x0000005a push FFFFFFFFh 0x0000005c mov di, A0E2h 0x00000060 nop 0x00000061 jmp 00007F4BEC76D8C0h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push ebx 0x0000006a pushad 0x0000006b popad 0x0000006c pop ebx 0x0000006d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5E78F second address: 0000000000D5E795 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F797 second address: 0000000000D5F79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F79B second address: 0000000000D5F7B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F7B5 second address: 0000000000D5F7BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D62952 second address: 0000000000D62976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jc 00007F4BEC3895D6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D638C4 second address: 0000000000D638CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D638CA second address: 0000000000D638D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79A1E second address: 0000000000D79A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jno 00007F4BEC76D8BEh 0x0000000b pop ebx 0x0000000c pushad 0x0000000d je 00007F4BEC76D8C4h 0x00000013 jmp 00007F4BEC76D8C8h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66493 second address: 0000000000D66499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66499 second address: 0000000000D6649E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67632 second address: 0000000000D6763D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4BEC3895D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79B7A second address: 0000000000D79B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79E45 second address: 0000000000D79E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E9h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A115 second address: 0000000000D7A119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A119 second address: 0000000000D7A129 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F4BEC3895D8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A399 second address: 0000000000D7A39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A39F second address: 0000000000D7A3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A3A3 second address: 0000000000D7A3BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A50D second address: 0000000000D7A514 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F064 second address: 0000000000D7F068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F068 second address: 0000000000D7F06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F06E second address: 0000000000D7F088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a jmp 00007F4BEC76D8C0h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F088 second address: 0000000000D7F0C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4BEC3895F8h 0x0000000e jmp 00007F4BEC3895E7h 0x00000013 jmp 00007F4BEC3895DBh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F0C1 second address: 0000000000D7F0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DAF4 second address: 0000000000D7DB0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F4BEC3895E1h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFA5 second address: 0000000000D7DFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFAB second address: 0000000000D7DFB9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFB9 second address: 0000000000D7DFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFBD second address: 0000000000D7DFDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F4BEC3895ECh 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFDF second address: 0000000000D7DFE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7E953 second address: 0000000000D7E97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC3895D6h 0x0000000a jmp 00007F4BEC3895DEh 0x0000000f jmp 00007F4BEC3895DBh 0x00000014 popad 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7EAD8 second address: 0000000000D7EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BB9 second address: 0000000000D37BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BBD second address: 0000000000D37BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BC5 second address: 0000000000D37BD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F4BEC3895D6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12259 second address: 0000000000D1225F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1225F second address: 0000000000D12265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12265 second address: 0000000000D12269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12269 second address: 0000000000D1227B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1227B second address: 0000000000D1227F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1227F second address: 0000000000D12283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D85D44 second address: 0000000000D85D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D85D61 second address: 0000000000D85D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F4BEC3895DFh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1A7 second address: 0000000000D0D1B1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1B1 second address: 0000000000D0D1B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1B6 second address: 0000000000D0D232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C9h 0x00000009 jmp 00007F4BEC76D8BCh 0x0000000e jnp 00007F4BEC76D8B6h 0x00000014 popad 0x00000015 jmp 00007F4BEC76D8BAh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F4BEC76D8BDh 0x00000022 jmp 00007F4BEC76D8BDh 0x00000027 jl 00007F4BEC76D8D1h 0x0000002d jmp 00007F4BEC76D8C5h 0x00000032 jng 00007F4BEC76D8B6h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57112 second address: 0000000000D57116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57548 second address: 0000000000D5754D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D576B0 second address: 0000000000D576B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5781E second address: 0000000000D57828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A77 second address: 0000000000D57A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A83 second address: 0000000000D57A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A88 second address: 0000000000D57A92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC3895DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57EAE second address: 0000000000D57EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57FEA second address: 0000000000D57FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58267 second address: 0000000000D5827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F4BEC76D8B8h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5827A second address: 0000000000D582DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F4BEC3895E5h 0x0000000c mov di, bx 0x0000000f lea eax, dword ptr [ebp+12250DCDh] 0x00000015 call 00007F4BEC3895E6h 0x0000001a mov edi, dword ptr [ebp+120B3CC1h] 0x00000020 pop ecx 0x00000021 mov ecx, edx 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push esi 0x00000028 pop esi 0x00000029 jmp 00007F4BEC3895E6h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D582DB second address: 0000000000D37BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F4BEC76D8B6h 0x00000009 jc 00007F4BEC76D8B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F4BEC76D8C5h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F4BEC76D8B8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 pushad 0x00000034 call 00007F4BEC76D8BEh 0x00000039 jmp 00007F4BEC76D8C0h 0x0000003e pop edi 0x0000003f mov ecx, ebx 0x00000041 popad 0x00000042 lea eax, dword ptr [ebp+12250D89h] 0x00000048 mov edx, esi 0x0000004a push eax 0x0000004b jmp 00007F4BEC76D8C3h 0x00000050 mov dword ptr [esp], eax 0x00000053 call 00007F4BEC76D8BEh 0x00000058 xor dword ptr [ebp+120B1D09h], ebx 0x0000005e pop edi 0x0000005f stc 0x00000060 call dword ptr [ebp+120B248Eh] 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b jmp 00007F4BEC76D8BAh 0x00000070 popad 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F4BEC76D8BAh 0x00000078 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D850BA second address: 0000000000D850BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AA5 second address: 0000000000A48AAF instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AAF second address: 0000000000A48AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AB5 second address: 0000000000A48AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AB9 second address: 0000000000A48ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48ABD second address: 0000000000A48AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F4BEC76D8B6h 0x0000000f js 00007F4BEC76D8B6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ecx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jp 00007F4BEC76D8B6h 0x00000022 jbe 00007F4BEC76D8B6h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4BEC76D8BFh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AF9 second address: 0000000000A48AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8523D second address: 0000000000D85243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D854CA second address: 0000000000D854D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D854D0 second address: 0000000000D854D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D858D4 second address: 0000000000D858DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47741 second address: 0000000000A4777D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 jmp 00007F4BEC76D8C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jng 00007F4BEC76D8B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A4777D second address: 0000000000A47785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A478F3 second address: 0000000000A47900 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47900 second address: 0000000000A47906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47906 second address: 0000000000A47912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A411A9 second address: 0000000000A411B3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0C1 second address: 0000000000D8A0CB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0CB second address: 0000000000D8A0D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F4BEC3895D6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0D7 second address: 0000000000D8A0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A484B3 second address: 0000000000A484C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895DEh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A484C7 second address: 0000000000A484D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F4BEC76D8B6h 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D89D6B second address: 0000000000D89D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D89D87 second address: 0000000000D89DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F4BEC76D8C4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A504F3 second address: 0000000000A504FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A17CD3 second address: 0000000000A17CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A17CDA second address: 0000000000A17CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895E2h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5518C second address: 0000000000A5519C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F4BEC76D8B6h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5519C second address: 0000000000A551A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551A2 second address: 0000000000A551AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551AC second address: 0000000000A551B6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551B6 second address: 0000000000A551BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A555DC second address: 0000000000A555E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A55A0D second address: 0000000000A55A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4BEC76D8BEh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A55A24 second address: 0000000000A55A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC3895E0h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57DE8 second address: 0000000000A57DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57DF2 second address: 0000000000A57DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5828A second address: 0000000000A58290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A588E6 second address: 0000000000A588F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5896A second address: 0000000000A589A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4BEC76D8C8h 0x0000000b popad 0x0000000c mov dword ptr [esp], ebx 0x0000000f movsx esi, cx 0x00000012 jnc 00007F4BEC76D8BCh 0x00000018 and esi, 13A5240Bh 0x0000001e nop 0x0000001f js 00007F4BEC76D8BEh 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58B79 second address: 0000000000A58B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58B7D second address: 0000000000A58B83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58C58 second address: 0000000000A58C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58EE5 second address: 0000000000A58EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FB2 second address: 0000000000A58FB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FB7 second address: 0000000000A58FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FC5 second address: 0000000000A58FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 nop 0x00000007 mov esi, 6445E480h 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4BEC3895E6h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5BAE8 second address: 0000000000A5BAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5DBAA second address: 0000000000A5DBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F4BEC3895D6h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5DBB7 second address: 0000000000A5DBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c jnc 00007F4BEC76D8BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E5BD second address: 0000000000A5E653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F4BEC3895E8h 0x0000000b pop esi 0x0000000c popad 0x0000000d nop 0x0000000e call 00007F4BEC3895E8h 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F4BEC3895D8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 sbb edi, 331EA68Eh 0x00000036 push 00000000h 0x00000038 jmp 00007F4BEC3895E7h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F4BEC3895E8h 0x00000045 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61688 second address: 0000000000A616AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC76D8BAh 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616AF second address: 0000000000A616B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616B3 second address: 0000000000A616B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616B9 second address: 0000000000A61725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4BEC3895D8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov ebx, 71E2FC80h 0x00000028 jns 00007F4BEC3895DCh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F4BEC3895D8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+14333BB3h], ebx 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61725 second address: 0000000000A61729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61729 second address: 0000000000A6172D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6172D second address: 0000000000A61745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC76D8C0h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61745 second address: 0000000000A61749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6677B second address: 0000000000A66794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F4BEC76D8B6h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A66794 second address: 0000000000A6679A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A67713 second address: 0000000000A6771A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6771A second address: 0000000000A6775F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F4BEC3895DBh 0x0000000c nop 0x0000000d or dword ptr [ebp+141D2338h], edi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 mov ebx, dword ptr [ebp+141D1885h] 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f and ebx, dword ptr [ebp+141D28CFh] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007F4BEC3895E7h 0x0000002e jmp 00007F4BEC3895E1h 0x00000033 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A69D1A second address: 0000000000A69D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6ADFE second address: 0000000000A6AE17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FE00 second address: 0000000000A6FE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+141D19E9h], ecx 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 mov dword ptr [ebp+143355DAh], ecx 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F4BEC76D8B8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 jmp 00007F4BEC76D8BEh 0x0000003c push eax 0x0000003d jc 00007F4BEC76D8CFh 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F4BEC76D8C1h 0x0000004a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5D901 second address: 0000000000A5D926 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC3895E7h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E31F second address: 0000000000A5E323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E323 second address: 0000000000A5E33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895E1h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E33C second address: 0000000000A5E340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A618D0 second address: 0000000000A618D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B259 second address: 0000000000A7B25D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B25D second address: 0000000000A7B27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B27C second address: 0000000000A7B288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7A9F2 second address: 0000000000A7A9FC instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7AB4E second address: 0000000000A7AB59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F4BEC76D8B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7EE87 second address: 0000000000A7EE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7EE8B second address: 0000000000A7EE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2A1 second address: 0000000000D8E2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2A9 second address: 0000000000D8E2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2AF second address: 0000000000D8E2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC3895D6h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F4BEC3895E2h 0x00000011 jbe 00007F4BEC3895D6h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 je 00007F4BEC3895D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E441 second address: 0000000000D8E467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c jne 00007F4BEC76D8B6h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E467 second address: 0000000000D8E46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8FFEB second address: 0000000000D8FFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91DD8 second address: 0000000000D91DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91DDE second address: 0000000000D91DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4BEC76D8B6h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91B01 second address: 0000000000D91B07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94B97 second address: 0000000000D94B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94B9D second address: 0000000000D94BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94BA1 second address: 0000000000D94BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94CEF second address: 0000000000D94D09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4BEC3895E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D09 second address: 0000000000D94D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D0E second address: 0000000000D94D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D14 second address: 0000000000D94D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F4BEC76D8BAh 0x00000012 jbe 00007F4BEC76D8B6h 0x00000018 pop edi 0x00000019 pushad 0x0000001a jl 00007F4BEC76D8B6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A840D7 second address: 0000000000A840DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8462B second address: 0000000000A8462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8462F second address: 0000000000A84635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88092 second address: 0000000000A88098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88098 second address: 0000000000A8809C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A881FC second address: 0000000000A88206 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC76D8BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88206 second address: 0000000000A88222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895DCh 0x0000000a js 00007F4BEC3895D6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jnc 00007F4BEC3895D6h 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88222 second address: 0000000000A88249 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F4BEC76D8B6h 0x0000000f jmp 00007F4BEC76D8C3h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A883A4 second address: 0000000000A883A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A886CA second address: 0000000000A886D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A886D4 second address: 0000000000A886DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88818 second address: 0000000000A8881E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8881E second address: 0000000000A88833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F4BEC3895DBh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A87D84 second address: 0000000000A87D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BCh 0x00000007 pushad 0x00000008 jno 00007F4BEC76D8B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99F7B second address: 0000000000D99F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F4BEC3895D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99F95 second address: 0000000000D99FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4BEC76D8BEh 0x0000000b popad 0x0000000c jbe 00007F4BEC76D8BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99FB2 second address: 0000000000D99FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9889D second address: 0000000000D988C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F4BEC76D8BFh 0x0000000b popad 0x0000000c jmp 00007F4BEC76D8BEh 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D988C1 second address: 0000000000D988C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D98FFC second address: 0000000000D99021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C7h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jl 00007F4BEC76D8B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99021 second address: 0000000000D9903D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC3895E2h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57CBE second address: 0000000000D57CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A65838 second address: 0000000000A6583C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A679F0 second address: 0000000000A679F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88CC2 second address: 0000000000A88CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F4BEC3895D6h 0x0000000d jnl 00007F4BEC3895D6h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8914F second address: 0000000000A89173 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4BEC76D8CFh 0x00000008 jmp 00007F4BEC76D8C9h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A89173 second address: 0000000000A89188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F4BEC3895D6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A89188 second address: 0000000000A8918E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA55 second address: 0000000000A8DA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA5B second address: 0000000000A8DA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA5F second address: 0000000000A8DA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DEB3 second address: 0000000000A8DEB8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DEB8 second address: 0000000000A8DF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F4BEC3895E6h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F4BEC3895DDh 0x0000001c push esi 0x0000001d push edx 0x0000001e pop edx 0x0000001f jmp 00007F4BEC3895DAh 0x00000024 pop esi 0x00000025 push ebx 0x00000026 jns 00007F4BEC3895D6h 0x0000002c pop ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DF07 second address: 0000000000A8DF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8BAh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DF15 second address: 0000000000A8DF19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E050 second address: 0000000000A8E055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1B5 second address: 0000000000A8E1C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007F4BEC3895D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1C7 second address: 0000000000A8E1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C6h 0x00000009 pop ecx 0x0000000a jc 00007F4BEC76D8C2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1EA second address: 0000000000A8E1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1F0 second address: 0000000000A8E1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1F8 second address: 0000000000A8E208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895DCh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E4B6 second address: 0000000000A8E4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jg 00007F4BEC5CA3C6h 0x0000000c je 00007F4BEC5CA3C6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A41B7D second address: 0000000000A41B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8D5E8 second address: 0000000000A8D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8D5EF second address: 0000000000A8D61B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED30CDB6h 0x00000007 pushad 0x00000008 jns 00007F4BED30CDA6h 0x0000000e jl 00007F4BED30CDA6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A93BD8 second address: 0000000000A93BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4BEC5CA3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6C0E4 second address: 0000000000A6C0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C43 second address: 0000000000A56C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C5F second address: 0000000000A56C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C65 second address: 0000000000A56C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C69 second address: 0000000000A56C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C6D second address: 0000000000A56C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F4BEC5CA3C6h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C80 second address: 0000000000A56C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C86 second address: 0000000000A56C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC5CA3D3h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C9D second address: 0000000000A56CB7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BED30CDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jp 00007F4BED30CDB4h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CB7 second address: 0000000000A56CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CBB second address: 0000000000A56CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F4BED30CDAEh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CCC second address: 0000000000A56CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CDB second address: 0000000000A56CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BED30CDB2h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CF1 second address: 0000000000A56D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F4BEC5CA3C8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call 00007F4BEC5CA3C9h 0x00000028 jl 00007F4BEC5CA3D0h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D32 second address: 0000000000A56D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D3E second address: 0000000000A56D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D45 second address: 0000000000A56D63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F4BED30CDAAh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D63 second address: 0000000000A56D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D67 second address: 0000000000A56D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E61 second address: 0000000000A56E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E6F second address: 0000000000A56E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E73 second address: 0000000000A56E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6CFE8 second address: 0000000000A6CFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57132 second address: 0000000000A57136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57136 second address: 0000000000A571B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4BED30CDB8h 0x0000000c jns 00007F4BED30CDA6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push esi 0x00000016 jmp 00007F4BED30CDB8h 0x0000001b pop esi 0x0000001c nop 0x0000001d js 00007F4BED30CDAAh 0x00000023 jmp 00007F4BED30CDAEh 0x00000028 push 00000004h 0x0000002a mov di, ax 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007F4BED30CDB3h 0x00000036 jng 00007F4BED30CDA6h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A575A6 second address: 0000000000A57628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F4BEC5CA3C8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov di, EB30h 0x0000002b push 0000001Eh 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F4BEC5CA3C8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 movsx ecx, di 0x0000004a nop 0x0000004b jmp 00007F4BEC5CA3D8h 0x00000050 push eax 0x00000051 push eax 0x00000052 pushad 0x00000053 jl 00007F4BEC5CA3C6h 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EEBD second address: 0000000000A6EF37 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BED30CDBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F4BED30CDA8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov bl, 08h 0x00000027 mov bl, 81h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+141D180Ch], ecx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d sub dword ptr [ebp+141D339Ch], ebx 0x00000043 mov eax, dword ptr [ebp+141D0069h] 0x00000049 or di, 08B6h 0x0000004e push FFFFFFFFh 0x00000050 mov edi, edx 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F4BED30CDAAh 0x0000005c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF37 second address: 0000000000A6EF50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF50 second address: 0000000000A6EF6F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BED30CDB0h 0x00000008 jmp 00007F4BED30CDAAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jnc 00007F4BED30CDA6h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF6F second address: 0000000000A6EF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC5CA3D7h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09A8 second address: 0000000000DA09AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09AE second address: 0000000000DA09B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09B4 second address: 0000000000DA09B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09B8 second address: 0000000000DA0A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4BEC5CA3D9h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BEC5CA3D9h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA0A0C second address: 0000000000DA0A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BED30CDB0h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA0A24 second address: 0000000000DA0A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4BEC5CA3D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F4BEC5CA3D7h 0x00000011 jmp 00007F4BEC5CA3D2h 0x00000016 jng 00007F4BEC5CA3C6h 0x0000001c popad 0x0000001d pushad 0x0000001e jg 00007F4BEC5CA3C6h 0x00000024 jmp 00007F4BEC5CA3CBh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EBBA second address: 0000000000D9EBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EED1 second address: 0000000000D9EED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EED7 second address: 0000000000D9EEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEE0 second address: 0000000000D9EEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEE8 second address: 0000000000D9EEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F4BED30CDA6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEF7 second address: 0000000000D9EEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEFB second address: 0000000000D9EF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F1B9 second address: 0000000000D9F1BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4CF second address: 0000000000D9F4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4D3 second address: 0000000000D9F4D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4D7 second address: 0000000000D9F510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BED30CDA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4BED30CDB8h 0x00000014 jnl 00007F4BED30CDB2h 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F510 second address: 0000000000D9F52F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BEC5CA3CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC5CA3CDh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FFC5 second address: 0000000000A6FFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FFCB second address: 0000000000A6FFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7008E second address: 0000000000A70092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A579FA second address: 0000000000A57AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, 6F846E13h 0x0000000f lea eax, dword ptr [ebp+143502CEh] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F4BEC5CA3C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+141D35EFh] 0x00000035 mov cx, si 0x00000038 push eax 0x00000039 pushad 0x0000003a jmp 00007F4BEC5CA3D8h 0x0000003f ja 00007F4BEC5CA3CCh 0x00000045 popad 0x00000046 mov dword ptr [esp], eax 0x00000049 call 00007F4BEC5CA3D2h 0x0000004e push eax 0x0000004f mov dword ptr [ebp+141D1A77h], ecx 0x00000055 pop edi 0x00000056 pop ecx 0x00000057 lea eax, dword ptr [ebp+1435028Ah] 0x0000005d call 00007F4BEC5CA3CBh 0x00000062 sub dword ptr [ebp+141DB355h], ecx 0x00000068 pop edi 0x00000069 xor edx, 187D65F5h 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AAC second address: 0000000000A57AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AB0 second address: 0000000000A57AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AB9 second address: 0000000000A57ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57ABF second address: 0000000000A41B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jne 00007F4BEC5CA3CEh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F4BEC5CA3C8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+141D3743h] 0x0000002e call dword ptr [ebp+141D269Eh] 0x00000034 jnp 00007F4BEC5CA3E0h 0x0000003a jmp 00007F4BEC5CA3CCh 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A70F62 second address: 0000000000A70F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A70F66 second address: 0000000000A70F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F75 second address: 0000000000A92F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F7B second address: 0000000000A92F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F86 second address: 0000000000A92F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F8C second address: 0000000000A92F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F90 second address: 0000000000A92F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F7EC second address: 0000000000D9F7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A930E5 second address: 0000000000A9311D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F4BED3126C6h 0x00000009 je 00007F4BED3126C6h 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F4BED3126D8h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F4BED3126CCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9311D second address: 0000000000A93121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A93512 second address: 0000000000A9351C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9351C second address: 0000000000A9353A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E96h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9353A second address: 0000000000A93540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A96899 second address: 0000000000A968A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F4BEC530E88h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A99308 second address: 0000000000A9930F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A98C3D second address: 0000000000A98C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B225 second address: 0000000000A9B229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B229 second address: 0000000000A9B231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B231 second address: 0000000000A9B252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BED3126D7h 0x00000009 jl 00007F4BED3126C6h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B252 second address: 0000000000A9B26A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E94h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDCD second address: 0000000000D9FDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDD3 second address: 0000000000D9FDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDD9 second address: 0000000000D9FDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9F4FC second address: 0000000000A9F50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E8Dh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EDD4 second address: 0000000000A9EDDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EDDA second address: 0000000000A9EDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EF1C second address: 0000000000A9EF3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED3126D5h 0x00000007 jnl 00007F4BED3126C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F49 second address: 0000000000AA2F6B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4BEC530E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F4BEC530E86h 0x00000013 jbe 00007F4BEC530E86h 0x00000019 popad 0x0000001a ja 00007F4BEC530E8Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F6B second address: 0000000000AA2F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a popad 0x0000000b jnp 00007F4BED3126DAh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F82 second address: 0000000000AA2F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57337 second address: 0000000000A5733B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5733B second address: 0000000000A573ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC530E88h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4BEC530E92h 0x00000013 pushad 0x00000014 jno 00007F4BEC530E86h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f jmp 00007F4BEC530E98h 0x00000024 mov ebx, dword ptr [ebp+143502C9h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F4BEC530E88h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 jns 00007F4BEC530E86h 0x0000004a mov edi, ebx 0x0000004c add eax, ebx 0x0000004e push 00000000h 0x00000050 push edx 0x00000051 call 00007F4BEC530E88h 0x00000056 pop edx 0x00000057 mov dword ptr [esp+04h], edx 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc edx 0x00000064 push edx 0x00000065 ret 0x00000066 pop edx 0x00000067 ret 0x00000068 jg 00007F4BEC530E8Ch 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F4BEC530E91h 0x00000076 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A573ED second address: 0000000000A57481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BED3126CCh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov di, 8690h 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F4BED3126C8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 jnl 00007F4BED3126D7h 0x00000036 nop 0x00000037 push edx 0x00000038 jmp 00007F4BED3126D5h 0x0000003d pop edx 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 jmp 00007F4BED3126D5h 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 je 00007F4BED3126CCh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA00FE second address: 0000000000DA0109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC530E86h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA3DC1 second address: 0000000000AA3DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4BED3126C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA3DCE second address: 0000000000AA3DD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AAA960 second address: 0000000000AAA96C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AAA96C second address: 0000000000AAA983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E93h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8CA7 second address: 0000000000AA8CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8CAB second address: 0000000000AA8CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F4BEC530E8Eh 0x00000014 jmp 00007F4BEC530E98h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8F73 second address: 0000000000AA8F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA06B7 second address: 0000000000DA06D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4BEC530E90h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA06D0 second address: 0000000000DA0701 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BED3126C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F4BED3126D9h 0x00000014 pop eax 0x00000015 jns 00007F4BED3126C8h 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA476E second address: 0000000000DA4784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E90h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA4784 second address: 0000000000DA4788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA97E3 second address: 0000000000AA97EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA40 second address: 0000000000DABA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA44 second address: 0000000000DABA4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA4A second address: 0000000000DABA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4BED3126D8h 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB215F second address: 0000000000DB2195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E90h 0x00000009 popad 0x0000000a pushad 0x0000000b jng 00007F4BEC530E86h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F4BEC530E8Bh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F4BEC530E86h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB044C second address: 0000000000DB0450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0450 second address: 0000000000DB045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F4BEC530E86h 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0B4B second address: 0000000000DB0B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0FC9 second address: 0000000000DB0FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0FCD second address: 0000000000DB0FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4BED3126D8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA9D77 second address: 0000000000AA9D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA9D7B second address: 0000000000AA9D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DAFE95 second address: 0000000000DAFEA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F4BEC530E86h 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB6E8A second address: 0000000000DB6E90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB6BA7 second address: 0000000000DB6BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007F4BEC530E88h 0x0000000b jmp 00007F4BEC530E91h 0x00000010 pushad 0x00000011 jng 00007F4BEC530E86h 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007F4BEC530E86h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC017C second address: 0000000000DC0191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F4BED3126D0h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0191 second address: 0000000000DC01AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E96h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC06F1 second address: 0000000000DC06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC086E second address: 0000000000DC088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E8Bh 0x00000007 jmp 00007F4BEC530E8Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC088C second address: 0000000000DC0894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0894 second address: 0000000000DC0898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DBF69E second address: 0000000000DBF6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC09E2 second address: 0000000000DC09E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0B68 second address: 0000000000DC0B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4BED3126D2h 0x0000000c jmp 00007F4BED3126D6h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D11 second address: 0000000000DC0D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E92h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D28 second address: 0000000000DC0D47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BED3126D4h 0x00000008 jno 00007F4BED3126C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D47 second address: 0000000000DC0D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BEC530E91h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D61 second address: 0000000000DC0D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F4BED3126D7h 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC1182 second address: 0000000000DC11A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4BEC530E94h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC1480 second address: 0000000000DC149E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BED3126D3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC149E second address: 0000000000DC14A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC14A2 second address: 0000000000DC14DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED3126D6h 0x00000007 jmp 00007F4BED3126D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F4BED3126CEh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB2532 second address: 0000000000AB254A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4BEC3895E3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB254A second address: 0000000000AB256A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BEC76D8C7h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB26A0 second address: 0000000000AB26A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB2976 second address: 0000000000AB299F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C3h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F4BEC76D8BDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6624	Thread sleep time: -68034s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6628	Thread sleep time: -88044s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6612	Thread sleep time: -46023s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6616	Thread sleep time: -58029s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 964	Thread sleep count: 34 > 30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 964	Thread sleep time: -68034s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 6800	Thread sleep time: -42021s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 2320	Thread sleep count: 38 > 30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 2320	Thread sleep time: -76038s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

Window / User API: threadDelayed 415

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	API coverage: 6.2 %
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	API coverage: 2.1 %
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	API coverage: 6.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll			Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe			Jump to dropped file

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\

Source: MagicLine4NX.exe, 0000002B.00000002.2457679120.0000000000D28000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1509377448.0000000000A32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MagicLine4NX.exe, 0000002B.00000002.2464388155.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: svchost.exe, 0000001A.00000002.2423245909.00000241FC413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\w%SystemRoot%\system32\mswsock.dll\Windows\system;C:\Windows;.;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\Serv
Source: cscript.exe, 00000016.00000003.1384442431.000000000321C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWar&Prod_VMware_SATA_C
Source: MagicLine4NX.exe, 0000002B.00000002.2457679120.0000000000D28000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1509377448.0000000000A32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: svchost.exe, 00000002.00000002.2429760809.0000010A84C6D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000011.00000002.1300249086.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000002.1318847140.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.1352328513.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000023.00000002.1406667750.0000000001358000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000025.00000002.1418215234.0000000001538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E1480F0 GetSystemInfo,

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD673 FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F393 FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E159CF0 __mbsinc,FindFirstFileA,GetLastError,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17300F FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1952CD FindFirstFileExA,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282291 FindFirstFileExA,

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

System information queried: ModuleInformation

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: ollydbg
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: filemonclass
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Hides threads from debuggers

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Thread information set: HideFromDebugger

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Contains functionality to read the PEB

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDADAB mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD448 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E029903 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F168 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E169038 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1721B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1721FC mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E194E0D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E193BDA mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282066 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27DD30 mov eax, dword ptr fs:[00000030h]

Checks if the current process is being debugged

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort

Checks for debuggers (devices)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: NTICE
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: SICE
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: SIWVID

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFDB940 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFDE2E8 GetProcessHeap,

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD8CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDB940 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD936A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E025EFA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02D2FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0263FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16AA4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15D6DB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15E55C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E194E40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E19260B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E192265 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27887F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: C:\Windows\SysWOW64\version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: C:\Windows\SysWOW64\version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: C:\Windows\SysWOW64\version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: C:\Windows\SysWOW64\version.dll

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\kc1pur8x.default
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\tjbwzv1u.default-release
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\kc1pur8x.default
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\tjbwzv1u.default-release

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158BD0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLengthSid,CopySid,GetTokenInformation,GetLengthSid,CopySid,FindCloseChangeNotification,AllocateAndInitializeSid,

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158D20 GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFD8DEF cpuid

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFD8F8E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6E031A8B _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"

Modifies Internet Explorer zone settings

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 CurrentLevel	Jump to behavior

Overwrites Mozilla Firefox settings

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Modifies the windows firewall

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000021.00000002.2430348352.000001D1EF702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2429556963.000001D1EF666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AntiVirusProduct{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}Windows DefenderMon, 28 Nov 2022 14:22:50 GMTwindowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2427255821.000001D1EF644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2427255821.000001D1EF644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2430348352.000001D1EF702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.2429556963.000001D1EF666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\pkcs11.txt
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert6.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert5.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert7.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E055C30 sqlite3_clear_bindings,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15ACF0 listen,WSAGetLastError,
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15AB20 bind,WSAGetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	11 DLL Side-Loading	11 DLL Side-Loading	41 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	2 Man in the Browser	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	1 Windows Service	1 Windows Service	1 Scripting	Security Account Manager	228 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	11 Process Injection	31 Obfuscated Files or Information	NTDS	571 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Install Root Certificate	LSA Secrets	24 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	121 Software Packing	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Search Order Hijacking	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Masquerading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	24 Virtualization/Sandbox Evasion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	11 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
magicline4nx_setup.exe	4%	ReversingLabs
magicline4nx_setup.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe	4%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.magicline4nx_setup.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
http://ids.smartcert.kr	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html	0%	Avira URL Cloud	safe
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	0%	Virustotal		Browse
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	0%	Avira URL Cloud	safe
https://mobi.yessign.or.kr/mobisignInstall.htm	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html	0%	Virustotal		Browse
https://mobi.yessign.or.kr/mobisignInstall.htm	0%	Virustotal		Browse
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.	0%	Avira URL Cloud	safe
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara	0%	Avira URL Cloud	safe
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver	0%	Avira URL Cloud	safe
https://activity.windows.comds	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://www.ubikey.co.kr/infovine/download.html	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/V	MagicLine4NX.exe, 0000002B.00000002.2487204433.000000000616E000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2482809862.000000000603E000.00000002.00000001.01000000.00000022.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000001B.00000003.1456789529.00000168B206D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451717440.00000168B206C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mobi.yessign.or.kr/mobisignInstall.htm	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ids.smartcert.kr	MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1461738208.00000168B2074000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pcro.mobilesign.net/mini_cert_install.html	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000001B.00000002.1459496867.00000168B2042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	MagicLine4NXServices.exe.0.dr	false		high
https://activity.windows.comds	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000001B.00000002.1458155402.00000168B2013000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	MagicLine4NXServices.exe.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Stops/	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 0000001B.00000003.1453797692.00000168B205E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460652418.00000168B2063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000001B.00000002.1459384486.00000168B203F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	false		high
https://dynamic.t	svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	false		high
http://www.ubikey.co.kr/infovine/download.html	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Schedules/	svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp, CDPGlobalSettings.cdp.2.dr	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000001B.00000003.1451838018.00000168B204D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755310
Start date and time:	2022-11-28 15:22:00 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	magicline4nx_setup.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal90.phis.troj.spyw.expl.evad.winEXE@66/58@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.4% (good quality ratio 8.2%) Quality average: 80.9% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, usocoreworker.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2997248
Entropy (8bit):	6.268242233467519
Encrypted:	false
SSDEEP:	49152:h7ClpXrwlUNmw4ti5GX0QaiEmPDOkSxoIUhbYhC+c3hz93GRHEgwRhj5ib9cPgfz:9ArJmw4ti60Qa3mPDOkSxoBhbYh5cJM2
MD5:	61D12D057457751157FDE1E7BB1BADCD
SHA1:	6778E50CDD05C99836D406EBB8992EA0181FC71C
SHA-256:	23E7F0A6D9690B5667181C9670F60655C68ADA382CE0DEB7AC7D493344702D64
SHA-512:	E27A0706C4460007C84449BB951CF0929A94FF416C508FAE14B810FBD67CF0E81E25F05373E51A8C3FB2C7DDCA3EDFF8C0D3C8A4CB03E4135414F080578C0FF1
Malicious:	true
Yara Hits:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..k...k...k.......k.......k.?.....k..v....k..v..L.k......k..v....k.......k...j...k..v..g.k..v....k..v....k..v....k.Rich..k.........................PE..L...VB.`...........!................;........................................p........-...@..........................c.......$.......P!.X....................@+.\|.......................................@...............<...l"..@....................text............................... ..`.rdata..............................@..@.data........p...X...N..............@....rsrc...X....P!....... .............@..@.reloc...$...@+..&....*.............@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7215647863449464
Encrypted:	false
SSDEEP:	48:c1Wr52I6sb7kUlb7kEBb7klEtb7kmgb7kbIl9lcob7k0tpl6Hb7k7yb7kbpb7kwj:92Il0Ul0W0Q0l0U9l0ClO0G0t0U09m
MD5:	A107301ABC02D4AAE067671118A7A663
SHA1:	02AB932DBD4054EC6712C7BE9CE2265592EF14C9
SHA-256:	1324BFE22AAA7EFD96C7A833FC9D3A5061268D40C808A8DA2D538F9BBB043DC2
SHA-512:	E32248963225DCB938567CAA911B900C55E1B7C3E83C81808B97B7FB7733A84E99F6BE4C02A1957E03BD0AD0F1E507B5E72570B5A1CAA2393126D32C4BF4ED9C
Malicious:	false
Preview:	....................................................!.....................................tQ.....................G......b...5...Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................v............#S.4...........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.1.1.2.8._.1.4.2.2.4.8._.7.5.9...e.t.l.............P.P...........tQ................................................................:.B...tQ....18362.1.amd64fre.19h1_release.190318-1202...........5.@...tQ.....*..c...;.P...4....WaaSMedicSvc.pdb............................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.998103778788712
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	magicline4nx_setup.exe
File size:	10774328
MD5:	7cec32c04fdae116ab0f7f4fd8372abd
SHA1:	8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:	aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
SHA512:	68b017169a1058b98650fb471ed2f0dc04222b516f8670597c28c7e5209e773ecc8f10ededd2a378b3ad6f634c3c8673255edd6178af3dfddd97b5c6f5d212cf
SSDEEP:	196608:i1swU0H5icKcguNb/0ysBK3KxI6lUlWqQBGG1y+8dkrrkRauWlcf:i1k08cKcguh1VlkICqsrkL1f
TLSH:	A5B63393662DE553F5124A7A2E7800393B82464F871A516F9DBCCBEFF20734EF665084
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.....

Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Signature Valid:	true
Signature Issuer:	CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/6/2020 2:00:00 AM 10/6/2022 1:59:59 AM
Subject Chain	CN="Dreamsecurity Co., Ltd.", O="Dreamsecurity Co., Ltd.", L=Songpa-gu, S=Seoul, C=KR
Version:	3
Thumbprint MD5:	6B78DDD09198A24ADE2ACAD1888F8EC0
Thumbprint SHA-1:	67251A386BA7C15C78268757250E79941ABDBEA1
Thumbprint SHA-256:	06152A2F83FE2FF6A89421C22F59E35E89B2850B8FE725B4D808872311AAA0BF
Serial:	2991F14126A97EDB9A5F5E00E13ACD9C

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x5ed0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa43478	0x32c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	False	0.6700390625	data	6.442207080714446	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x135c	0x1400	False	0.4611328125	data	5.240043476337556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	False	0.455078125	data	4.04938010159809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0xc000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x5ed0	0x6000	False	0.4967854817708333	data	5.530327691332003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c2c8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 0	English	United States
RT_ICON	0x3d8f0	0x1445	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x3ed38	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States
RT_ICON	0x3fbe0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 0	English	United States
RT_ICON	0x40888	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 0	English	United States
RT_ICON	0x40fd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States
RT_DIALOG	0x41538	0xec	data	English	United States
RT_DIALOG	0x41628	0x108	data	English	United States
RT_DIALOG	0x41730	0x4c	data	English	United States
RT_GROUP_ICON	0x41780	0x5a	data	English	United States
RT_VERSION	0x417e0	0x2bc	data	Korean	North Korea
RT_VERSION	0x417e0	0x2bc	data	Korean	South Korea
RT_MANIFEST	0x41aa0	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Target ID:	0
Start time:	15:22:27
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\magicline4nx_setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\magicline4nx_setup.exe
Imagebase:	0x400000
File size:	10774328 bytes
MD5 hash:	7CEC32C04FDAE116AB0F7F4FD8372ABD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Target ID:	2
Start time:	15:22:28
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	3
Start time:	15:22:30
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Imagebase:	0x390000
File size:	236032 bytes
MD5 hash:	4943BA1A9B41D69643F69685E35B2943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	5
Start time:	15:22:31
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im NTSMagicLineNP.exe
Imagebase:	0xc40000
File size:	73728 bytes
MD5 hash:	07D18817187E87CFC6AB2A4670061AE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	6
Start time:	15:22:32
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop MagicLine4NXSVC
Imagebase:	0x760000
File size:	61440 bytes
MD5 hash:	3A070609B1569EDEBABDC6466E8FA36C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	10
Start time:	15:22:33
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Imagebase:	0x390000
File size:	236032 bytes
MD5 hash:	4943BA1A9B41D69643F69685E35B2943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	15:22:38
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Imagebase:	0x220000
File size:	65536 bytes
MD5 hash:	3A73031809C7DC0BB9BCE2F366345101
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	15
Start time:	15:22:40
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Imagebase:	0xf30000
File size:	144896 bytes
MD5 hash:	86EF3CCA8FF54D585BC29699EE1ADC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	17
Start time:	15:22:41
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	19
Start time:	15:22:43
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	22
Start time:	15:22:45
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Imagebase:	0xf30000
File size:	144896 bytes
MD5 hash:	86EF3CCA8FF54D585BC29699EE1ADC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	24
Start time:	15:22:46
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report magicline4nx_setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmp

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conf

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conf

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.ini

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmac

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe

Windows Analysis Report
magicline4nx_setup.exe

Target ID:	27
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	33
Start time:	15:22:48
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	35
Start time:	15:22:51
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Imagebase:	0x1720000
File size:	82432 bytes
MD5 hash:	718A726FCC5EFCE3529E7A244D87F13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	37
Start time:	15:22:53
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Imagebase:	0x1720000
File size:	82432 bytes
MD5 hash:	718A726FCC5EFCE3529E7A244D87F13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	39
Start time:	15:22:54
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\CheckNetIsolation.exe
Wow64 process (32bit):	true
Commandline:	CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Imagebase:	0xc10000
File size:	26624 bytes
MD5 hash:	2FBEB635ADD6F73B226EE4BE660201BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	43
Start time:	15:22:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Imagebase:	0x820000
File size:	3753952 bytes
MD5 hash:	A98F6351876129FED4A6CA7DB7CBD721
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	44
Start time:	15:22:56
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Imagebase:	0x770000
File size:	2248000 bytes
MD5 hash:	877F2A6FC5DA85AA4C9B38943EF21EAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	45
Start time:	15:22:57
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	46
Start time:	15:23:05
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start MagicLine4NXSVC
Imagebase:	0x760000
File size:	61440 bytes
MD5 hash:	3A070609B1569EDEBABDC6466E8FA36C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre