URL:

https://www.gomlab.com/en/gomplayer-media-player

Full analysis: https://app.any.run/tasks/3fca026c-755a-4568-9369-8f0182ad6bc4
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 18:55:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
netreactor
miner
evasion
Indicators:
MD5:

0B1118BC6CB821037DDA889591AF8619

SHA1:

7B7A6625D8A3EC98C720C1AD07F0A1E677717572

SHA256:

FF82E0143C561C5EE738F2973D066D45F8EAE52C59DC963CA0CCE8E879ED5915

SSDEEP:

3:N8DSLeOA+CKIVJ1bx/n:2OLeOA+Je1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • ofyuumpg.exe (PID: 4024)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)
      • nsxA08B.tmp (PID: 9068)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • nsoB193.tmp (PID: 9120)
      • AvastBrowserUpdateSetup.exe (PID: 1128)
      • AvastBrowserUpdate.exe (PID: 8972)
      • Instup.exe (PID: 1500)

    • Scans artifacts that could help determine the target

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)
      • nsxA08B.tmp (PID: 9068)
      • rsVPNSvc.exe (PID: 7088)
      • rsDNSSvc.exe (PID: 2032)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 5028)
      • instup.exe (PID: 9532)
      • rundll32.exe (PID: 6008)

    • Steals credentials from Web Browsers

      • nsxA08B.tmp (PID: 9068)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cookie_exporter.exe (PID: 7668)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5500)
      • rsEDRSvc.exe (PID: 7880)
      • rsEngineSvc.exe (PID: 5284)
      • GOM.exe (PID: 8792)
      • GrLauncher.exe (PID: 8912)
      • GOM.exe (PID: 9212)
      • nsxA08B.tmp (PID: 9068)
      • AvastBrowserUpdate.exe (PID: 8972)
      • rsVPNSvc.exe (PID: 9056)
      • rsDNSSvc.exe (PID: 3832)

    • The process creates files with name similar to system file names

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)

    • Executable content was dropped or overwritten

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • ofyuumpg.exe (PID: 4024)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)
      • nsxA08B.tmp (PID: 9068)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • nsoB193.tmp (PID: 9120)
      • AvastBrowserUpdate.exe (PID: 8972)
      • AvastBrowserUpdateSetup.exe (PID: 1128)
      • Instup.exe (PID: 1500)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Process drops legitimate windows executable

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • ofyuumpg.exe (PID: 4024)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)

    • Checks Windows Trust Settings

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5500)
      • rsWSC.exe (PID: 8152)
      • rsEDRSvc.exe (PID: 7880)
      • rsEDRSvc.exe (PID: 7096)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • rsEngineSvc.exe (PID: 5284)
      • rsVPNSvc.exe (PID: 9056)
      • rsDNSSvc.exe (PID: 3832)

    • Searches for installed software

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • nsxA08B.tmp (PID: 9068)
      • rsVPNSvc.exe (PID: 7088)

    • Reads Microsoft Outlook installation path

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Process requests binary or script from the Internet

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Creates/Modifies COM task schedule object

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • AvastBrowserUpdate.exe (PID: 8884)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 9180)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 2472)
      • AvastBrowserUpdate.exe (PID: 8972)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 8780)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 6168)
      • rsWSC.exe (PID: 8152)
      • rsClientSvc.exe (PID: 2608)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • WmiApSrv.exe (PID: 6164)
      • rsVPNClientSvc.exe (PID: 8872)
      • rsVPNSvc.exe (PID: 7088)
      • AvastBrowserUpdate.exe (PID: 6156)
      • WmiApSrv.exe (PID: 8768)
      • rsDNSClientSvc.exe (PID: 9752)
      • rsDNSSvc.exe (PID: 2032)
      • rsDNSResolver.exe (PID: 5400)
      • WmiApSrv.exe (PID: 5344)

    • Reads Internet Explorer settings

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 7092)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 7092)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5284)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 7092)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 7092)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 7092)
      • rundll32.exe (PID: 5028)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 7092)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 7092)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 7092)

    • Dropped object may contain URLs of mainers pools

      • rsEngineSvc.exe (PID: 5284)

    • Reads the date of Windows installation

      • rsEDRSvc.exe (PID: 7096)
      • rsEngineSvc.exe (PID: 5284)
      • AvastBrowserUpdate.exe (PID: 8972)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 7096)
      • rsEngineSvc.exe (PID: 5284)
      • nsxA08B.tmp (PID: 9068)

    • Application launched itself

      • rsAppUI.exe (PID: 7072)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 4880)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 7096)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 5284)
      • rsVPNSvc.exe (PID: 7088)
      • rsDNSSvc.exe (PID: 2032)

    • Changes Internet Explorer settings (feature browser emulation)

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Starts application with an unusual extension

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • The process verifies whether the antivirus software is installed

      • nsxA08B.tmp (PID: 9068)
      • rsEngineSvc.exe (PID: 5284)
      • AvastBrowserUpdate.exe (PID: 8884)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 8780)
      • AvastBrowserUpdate.exe (PID: 8960)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 9180)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 2472)
      • AvastBrowserUpdate.exe (PID: 8864)
      • AvastBrowserUpdate.exe (PID: 6156)
      • AvastBrowserUpdate.exe (PID: 4784)
      • AvastBrowserUpdate.exe (PID: 8972)
      • rsVPNSvc.exe (PID: 7088)
      • instup.exe (PID: 9532)
      • runonce.exe (PID: 3904)
      • rsDNSSvc.exe (PID: 2032)

    • Checks for external IP

      • nsoB193.tmp (PID: 9120)

    • Starts itself from another location

      • AvastBrowserUpdate.exe (PID: 8972)
      • Instup.exe (PID: 1500)

    • Disables SEHOP

      • AvastBrowserUpdate.exe (PID: 8972)

    • Process checks presence of unattended files

      • instup.exe (PID: 9532)

    • Potential Corporate Privacy Violation

      • AvastBrowserUpdate.exe (PID: 6156)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 3784)
      • cmd.exe (PID: 8712)

    • Starts CMD.EXE for commands execution

      • rsDNSSvc.exe (PID: 2032)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 7524)
      • cookie_exporter.exe (PID: 7668)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsSyncSvc.exe (PID: 644)
      • rsSyncSvc.exe (PID: 6168)
      • rsWSC.exe (PID: 7912)
      • rsWSC.exe (PID: 8152)
      • rsClientSvc.exe (PID: 7064)
      • rsClientSvc.exe (PID: 2608)
      • rsEngineSvc.exe (PID: 5500)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7880)
      • rsHelper.exe (PID: 2064)
      • rsEDRSvc.exe (PID: 7096)
      • rsAppUI.exe (PID: 7072)
      • rsAppUI.exe (PID: 6192)
      • rsAppUI.exe (PID: 3068)
      • GOM.exe (PID: 8724)
      • GOM.exe (PID: 8792)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • nsoB193.tmp (PID: 9120)
      • GOM.exe (PID: 9212)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • Instup.exe (PID: 1500)
      • AvastBrowserUpdate.exe (PID: 8972)
      • AvastBrowserUpdate.exe (PID: 8960)
      • rsVPNClientSvc.exe (PID: 8912)
      • rsVPNClientSvc.exe (PID: 8872)
      • AvastBrowserUpdate.exe (PID: 8884)
      • rsVPNSvc.exe (PID: 9056)
      • rsVPNSvc.exe (PID: 7088)
      • AvastBrowserUpdate.exe (PID: 4784)
      • AvastBrowserUpdate.exe (PID: 8864)
      • AvastBrowserUpdate.exe (PID: 6156)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8408)
      • rsAppUI.exe (PID: 8916)
      • instup.exe (PID: 9532)
      • rsDNSClientSvc.exe (PID: 7740)
      • rsDNSResolver.exe (PID: 7744)
      • rsDNSClientSvc.exe (PID: 9752)
      • rsDNSSvc.exe (PID: 2032)
      • rsDNSResolver.exe (PID: 5400)
      • rsDNSSvc.exe (PID: 3832)
      • rsAppUI.exe (PID: 4880)
      • rsAppUI.exe (PID: 7904)
      • rsAppUI.exe (PID: 9108)

    • Reads Environment values

      • identity_helper.exe (PID: 7524)
      • cookie_exporter.exe (PID: 7668)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • rsAppUI.exe (PID: 7072)
      • nsxA08B.tmp (PID: 9068)
      • Instup.exe (PID: 1500)
      • rsVPNSvc.exe (PID: 7088)
      • rsAppUI.exe (PID: 1656)
      • instup.exe (PID: 9532)
      • rsDNSSvc.exe (PID: 2032)
      • rsAppUI.exe (PID: 4880)

    • Checks supported languages

      • identity_helper.exe (PID: 7524)
      • cookie_exporter.exe (PID: 7668)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • KillGom.exe (PID: 7716)
      • ofyuumpg.exe (PID: 4024)
      • UnifiedStub-installer.exe (PID: 7092)
      • KillGom.exe (PID: 6220)
      • rsSyncSvc.exe (PID: 644)
      • rsSyncSvc.exe (PID: 6168)
      • rsWSC.exe (PID: 7912)
      • rsWSC.exe (PID: 8152)
      • rsClientSvc.exe (PID: 7064)
      • rsEngineSvc.exe (PID: 5500)
      • rsClientSvc.exe (PID: 2608)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • rsHelper.exe (PID: 2064)
      • rsEDRSvc.exe (PID: 7880)
      • rsAppUI.exe (PID: 7072)
      • EPP.exe (PID: 4760)
      • rsAppUI.exe (PID: 7228)
      • rsAppUI.exe (PID: 6192)
      • rsAppUI.exe (PID: 3068)
      • rsAppUI.exe (PID: 8516)
      • rsLitmus.A.exe (PID: 8608)
      • GOM.exe (PID: 8724)
      • GOM.exe (PID: 8792)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • nsoB193.tmp (PID: 9120)
      • GOM.exe (PID: 9212)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • AvastBrowserUpdateSetup.exe (PID: 1128)
      • AvastBrowserUpdate.exe (PID: 8972)
      • Instup.exe (PID: 1500)
      • rsVPNClientSvc.exe (PID: 8912)
      • rsVPNClientSvc.exe (PID: 8872)
      • AvastBrowserUpdate.exe (PID: 8884)
      • rsVPNSvc.exe (PID: 9056)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 8780)
      • AvastBrowserUpdate.exe (PID: 8960)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 9180)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 2472)
      • rsVPNSvc.exe (PID: 7088)
      • AvastBrowserUpdate.exe (PID: 8864)
      • AvastBrowserUpdate.exe (PID: 6156)
      • AvastBrowserUpdate.exe (PID: 4784)
      • VPN.exe (PID: 9180)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8408)
      • rsAppUI.exe (PID: 8916)
      • rsAppUI.exe (PID: 8744)
      • rsAppUI.exe (PID: 9452)
      • instup.exe (PID: 9532)
      • rsDNSClientSvc.exe (PID: 7740)
      • rsDNSResolver.exe (PID: 9692)
      • rsDNSClientSvc.exe (PID: 9752)
      • rsDNSResolver.exe (PID: 7744)
      • sbr.exe (PID: 9808)
      • rsDNSSvc.exe (PID: 3832)
      • rsDNSSvc.exe (PID: 2032)
      • rsDNSResolver.exe (PID: 5400)
      • DNS.exe (PID: 10064)
      • rsAppUI.exe (PID: 4880)
      • rsAppUI.exe (PID: 9108)
      • rsAppUI.exe (PID: 7860)
      • rsAppUI.exe (PID: 7904)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6488)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • Checks proxy server information

      • cookie_exporter.exe (PID: 7668)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsAppUI.exe (PID: 7072)
      • GOM.exe (PID: 8792)
      • GrLauncher.exe (PID: 8912)
      • GOM.exe (PID: 9212)
      • nsxA08B.tmp (PID: 9068)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • Instup.exe (PID: 1500)
      • AvastBrowserUpdate.exe (PID: 4784)
      • rsAppUI.exe (PID: 1656)
      • instup.exe (PID: 9532)
      • rsAppUI.exe (PID: 4880)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6720)
      • msedge.exe (PID: 6488)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 6488)
      • msedge.exe (PID: 6720)

    • The process uses the downloaded file

      • msedge.exe (PID: 6488)
      • msedge.exe (PID: 7584)

    • Create files in a temporary directory

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • ofyuumpg.exe (PID: 4024)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsAppUI.exe (PID: 7072)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • AvastBrowserUpdate.exe (PID: 6156)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 4880)

    • Reads the machine GUID from the registry

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 8152)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5500)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7880)
      • rsEDRSvc.exe (PID: 7096)
      • rsHelper.exe (PID: 2064)
      • rsAppUI.exe (PID: 7072)
      • GOM.exe (PID: 8724)
      • GOM.exe (PID: 8792)
      • GrLauncher.exe (PID: 8912)
      • nsoB193.tmp (PID: 9120)
      • GOM.exe (PID: 9212)
      • nsxA08B.tmp (PID: 9068)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • Instup.exe (PID: 1500)
      • AvastBrowserUpdate.exe (PID: 8972)
      • rsVPNSvc.exe (PID: 9056)
      • rsVPNSvc.exe (PID: 7088)
      • rsAppUI.exe (PID: 1656)
      • AvastBrowserUpdate.exe (PID: 6156)
      • instup.exe (PID: 9532)
      • rsDNSSvc.exe (PID: 3832)
      • rsDNSSvc.exe (PID: 2032)
      • rsAppUI.exe (PID: 4880)

    • Disables trace logs

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • rsVPNSvc.exe (PID: 7088)
      • rsDNSSvc.exe (PID: 2032)

    • Creates files or folders in the user directory

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsAppUI.exe (PID: 7072)
      • rsEngineSvc.exe (PID: 5284)
      • GOM.exe (PID: 8792)
      • rsAppUI.exe (PID: 3068)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • rsVPNSvc.exe (PID: 7088)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8916)
      • rsDNSSvc.exe (PID: 2032)
      • rsAppUI.exe (PID: 4880)
      • rsAppUI.exe (PID: 9108)

    • Reads the software policy settings

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5500)
      • rsWSC.exe (PID: 8152)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7880)
      • rsEDRSvc.exe (PID: 7096)
      • GrLauncher.exe (PID: 8912)
      • nsxA08B.tmp (PID: 9068)
      • nsoB193.tmp (PID: 9120)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • Instup.exe (PID: 1500)
      • rsVPNSvc.exe (PID: 9056)
      • AvastBrowserUpdate.exe (PID: 4784)
      • AvastBrowserUpdate.exe (PID: 6156)
      • rsVPNSvc.exe (PID: 7088)
      • instup.exe (PID: 9532)
      • rsDNSSvc.exe (PID: 3832)
      • rsDNSSvc.exe (PID: 2032)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 7092)
      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)
      • rsWSC.exe (PID: 7912)
      • rsEngineSvc.exe (PID: 5500)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7880)
      • rsEDRSvc.exe (PID: 7096)
      • GrLauncher.exe (PID: 8912)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • AvastBrowserUpdateSetup.exe (PID: 1128)
      • Instup.exe (PID: 1500)
      • AvastBrowserUpdate.exe (PID: 8972)
      • rsVPNSvc.exe (PID: 9056)
      • AvastBrowserUpdate.exe (PID: 6156)
      • rsVPNSvc.exe (PID: 7088)
      • rsDNSResolver.exe (PID: 7744)
      • instup.exe (PID: 9532)
      • rsDNSSvc.exe (PID: 3832)
      • rsDNSSvc.exe (PID: 2032)
      • rsDNSResolver.exe (PID: 5400)

    • Process checks Internet Explorer phishing filters

      • GOMPLAYERGLOBALSETUP_CHROME.EXE (PID: 1884)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 7092)
      • rsWSC.exe (PID: 8152)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • rsHelper.exe (PID: 2064)

    • Application launched itself

      • msedge.exe (PID: 6488)

    • Reads the time zone

      • runonce.exe (PID: 7376)
      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • rsVPNSvc.exe (PID: 7088)
      • runonce.exe (PID: 3904)
      • rsDNSSvc.exe (PID: 2032)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7376)
      • runonce.exe (PID: 3904)

    • Reads product name

      • rsEDRSvc.exe (PID: 7096)
      • rsAppUI.exe (PID: 7072)
      • rsEngineSvc.exe (PID: 5284)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 4880)

    • Reads CPU info

      • rsEngineSvc.exe (PID: 5284)
      • rsEDRSvc.exe (PID: 7096)
      • avast_free_antivirus_setup_online_x64.exe (PID: 8656)
      • Instup.exe (PID: 1500)
      • rsVPNSvc.exe (PID: 7088)
      • instup.exe (PID: 9532)
      • rsDNSSvc.exe (PID: 2032)

    • Process checks computer location settings

      • rsAppUI.exe (PID: 7228)
      • rsAppUI.exe (PID: 8516)
      • rsAppUI.exe (PID: 7072)
      • nsxA08B.tmp (PID: 9068)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8744)
      • rsVPNSvc.exe (PID: 7088)
      • rsAppUI.exe (PID: 9452)
      • rsAppUI.exe (PID: 7860)
      • rsAppUI.exe (PID: 4880)
      • AvastBrowserUpdate.exe (PID: 8972)

    • Dropped object may contain TOR URL's

      • Instup.exe (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
299
Monitored processes
156
Malicious processes
25
Suspicious processes
5

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs cookie_exporter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs gomplayerglobalsetup_chrome.exe no specs gomplayerglobalsetup_chrome.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs killgom.exe no specs killgom.exe no specs msedge.exe no specs ofyuumpg.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe THREAT rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe rsedrsvc.exe no specs THREAT rsedrsvc.exe THREAT rshelper.exe no specs epp.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rslitmus.a.exe no specs conhost.exe no specs gom.exe no specs gom.exe no specs VSUtil no specs grlauncher.exe nsxa08b.tmp nsob193.tmp gom.exe no specs VSUtil no specs avast_free_antivirus_setup_online_x64.exe avastbrowserupdatesetup.exe instup.exe avastbrowserupdate.exe avastbrowserupdate.exe no specs rsvpnclientsvc.exe no specs conhost.exe no specs rsvpnclientsvc.exe no specs avastbrowserupdate.exe no specs rsvpnsvc.exe no specs avastbrowserupdatecomregistershell64.exe no specs avastbrowserupdatecomregistershell64.exe no specs avastbrowserupdatecomregistershell64.exe no specs avastbrowserupdate.exe rsvpnsvc.exe avastbrowserupdate.exe no specs avastbrowserupdate.exe vpn.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs rsappui.exe no specs instup.exe sbr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs rsdnsclientsvc.exe no specs conhost.exe no specs rsdnsclientsvc.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs rsdnssvc.exe no specs rsdnssvc.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs dns.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
Reason Security Synchronize Service
Exit code:
0
Version:
1.8.5.0
Modules
Images
c:\program files\reasonlabs\common\rssyncsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
736ipconfig /flushdnsC:\Windows\System32\ipconfig.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
904"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6756 --field-trial-handle=2368,i,7712857698882973906,16764532404281187830,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7240 --field-trial-handle=2368,i,7712857698882973906,16764532404281187830,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1128AvastBrowserUpdateSetup.exe /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6226&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"C:\Users\admin\AppData\Local\Temp\nsyB0E0.tmp\AvastBrowserUpdateSetup.exe
nsxA08B.tmp
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Browser Setup
Version:
1.8.1697.6
Modules
Images
c:\users\admin\appdata\local\temp\nsyb0e0.tmp\avastbrowserupdatesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7236 --field-trial-handle=2368,i,7712857698882973906,16764532404281187830,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1500"C:\WINDOWS\Temp\asw.19009d3c4cdbf67f\instup.exe" /sfx:lite /sfxstorage:C:\WINDOWS\Temp\asw.19009d3c4cdbf67f /edition:1 /prod:ais /stub_context:7cbeb3c5-6af5-4699-8f35-1d0c2ef76bb2:9931880 /guid:80155fcd-a25d-4f3a-8580-aa83e733d50c /ga_clientid:77952b77-73b7-4006-ae85-9f33c927240f /silent /cookie:mmm_gom_ppi_003_434_m /ga_clientid:77952b77-73b7-4006-ae85-9f33c927240f /edat_dir:C:\WINDOWS\Temp\asw.589414bddc6c4aa6 /geo:DEC:\Windows\Temp\asw.19009d3c4cdbf67f\Instup.exe
avast_free_antivirus_setup_online_x64.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
24.7.9311.0
Modules
Images
c:\windows\temp\asw.19009d3c4cdbf67f\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1656"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-runC:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exeVPN.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
MEDIUM
Description:
ReasonLabs Application
Version:
1.4.2
Modules
Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\program files\reasonlabs\common\client\v1.4.2\ffmpeg.dll
c:\windows\system32\rpcrt4.dll
1884"C:\Users\admin\Downloads\GOMPLAYERGLOBALSETUP_CHROME.EXE" C:\Users\admin\Downloads\GOMPLAYERGLOBALSETUP_CHROME.EXE
msedge.exe
User:
admin
Company:
GOM & Company
Integrity Level:
HIGH
Description:
GOMPlayerGlobal Setup File
Exit code:
0
Version:
2.3
Modules
Images
c:\users\admin\downloads\gomplayerglobalsetup_chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
280 777
Read events
273 414
Write events
7 074
Delete events
289

Modification events

(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31123707
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
1 130
Suspicious files
695
Text files
1 862
Unknown types
60

Dropped files

PID
Process
Filename
Type
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe5fa0.TMP
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe5fa0.TMP
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe5fa0.TMP
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe5fb0.TMP
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe5fcf.TMP
MD5:
SHA256:
6488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
132
TCP/UDP connections
404
DNS requests
357
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5976
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7248
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5900
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a8381623-5b08-479e-aab0-f1075e82bccf?P1=1723620898&P2=404&P3=2&P4=aiMOgy3ow95RTpFrt0xp8pPZXQHBk%2fLBehxmkO0lNN032eC6LtGIyTXADajBVs7b269CEfLicxVWFaVR2OWAwg%3d%3d
unknown
whitelisted
1884
GOMPLAYERGLOBALSETUP_CHROME.EXE
GET
200
18.66.112.55:80
http://playinfo.gomlab.com/setup_v2/index.gom?setup=player&name=GOMPLAYERGLOBALSETUP_CHROME&bit=32&lang=esp&version=2.3.99.5369&checkdate=202407311637
unknown
whitelisted
5500
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5900
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a8381623-5b08-479e-aab0-f1075e82bccf?P1=1723620898&P2=404&P3=2&P4=aiMOgy3ow95RTpFrt0xp8pPZXQHBk%2fLBehxmkO0lNN032eC6LtGIyTXADajBVs7b269CEfLicxVWFaVR2OWAwg%3d%3d
unknown
whitelisted
1884
GOMPLAYERGLOBALSETUP_CHROME.EXE
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
unknown
whitelisted
5900
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a8381623-5b08-479e-aab0-f1075e82bccf?P1=1723620898&P2=404&P3=2&P4=aiMOgy3ow95RTpFrt0xp8pPZXQHBk%2fLBehxmkO0lNN032eC6LtGIyTXADajBVs7b269CEfLicxVWFaVR2OWAwg%3d%3d
unknown
whitelisted
5900
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a8381623-5b08-479e-aab0-f1075e82bccf?P1=1723620898&P2=404&P3=2&P4=aiMOgy3ow95RTpFrt0xp8pPZXQHBk%2fLBehxmkO0lNN032eC6LtGIyTXADajBVs7b269CEfLicxVWFaVR2OWAwg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1120
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1884
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6720
msedge.exe
52.123.242.232:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
CH
unknown
6488
msedge.exe
239.255.255.250:1900
whitelisted
6720
msedge.exe
52.85.65.73:443
www.gomlab.com
AMAZON-02
US
unknown
6720
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6720
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 104.244.42.131
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.gomlab.com
  • 52.85.65.73
  • 52.85.65.78
  • 52.85.65.101
  • 52.85.65.80
  • 3.161.119.23
  • 3.161.119.57
  • 3.161.119.124
  • 3.161.119.6
unknown
config.edge.skype.com
  • 52.123.242.232
  • 52.123.242.229
  • 52.123.242.224
  • 52.123.242.241
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
bzib.nelreports.net
  • 23.50.131.222
  • 23.50.131.213
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.128
  • 104.126.37.163
  • 104.126.37.144
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.153
  • 104.126.37.154
  • 104.126.37.160
  • 104.126.37.176
  • 104.126.37.177
  • 104.126.37.178
  • 104.126.37.168
  • 104.126.37.161
  • 2.23.209.141
  • 2.23.209.158
  • 2.23.209.149
  • 2.23.209.148
  • 2.23.209.150
  • 2.23.209.160
  • 2.23.209.177
  • 2.23.209.140
  • 2.23.209.176
  • 104.126.37.136
  • 104.126.37.155
  • 104.126.37.123
whitelisted
wsa.mig-log.com
  • 3.38.213.81
unknown

Threats

PID
Process
Class
Message
1884
GOMPLAYERGLOBALSETUP_CHROME.EXE
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
9120
nsoB193.tmp
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
6156
AvastBrowserUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
rsEngineSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
rsEDRSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
nsxA08B.tmp
2024-08-07T18:58:50 [libnsis] {0000236c:00002370} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
nsxA08B.tmp
2024-08-07T18:58:50 [libnsis] {0000236c:00002370} <1:Debug> (91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62) Throwing exception 0x00000400000715
nsxA08B.tmp
2024-08-07T18:58:50 [libnsis] {0000236c:00002370} <4:Error> (893f00f663353e48\src\jsis-plugins\plugins\UtilitiesPlugin\TagData.cpp:85) 0x00000400000715 91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62
nsxA08B.tmp
2024-08-07T18:58:51 [libnsis] {0000236c:00002370} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsyB0E0.tmp\CR.History.tmp
nsxA08B.tmp
2024-08-07T18:58:51 [libnsis] {0000236c:00002370} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19912 AND vtime <= 19943 GROUP BY vtime
nsxA08B.tmp
2024-08-07T18:58:51 [libnsis] {0000236c:00002370} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsyB0E0.tmp\CR.History.tmp
nsxA08B.tmp
2024-08-07T18:58:51 [libnsis] {0000236c:00002370} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19912 AND vtime <= 19943 GROUP BY vtime
nsxA08B.tmp
2024-08-07T18:58:51 [libnsis] {0000236c:00002370} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsyB0E0.tmp\FF.places.tmp
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.gomlab.com/en/gomplayer-media-player