File name:

MuMu_5.0.1_oTSYJNC.exe

Full analysis: https://app.any.run/tasks/d45f7520-be50-4ad6-8972-8555c6314ba6
Verdict: Malicious activity
Analysis date: September 21, 2025, 16:57:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

FB63C86835576A39EFCA20F491A678A5

SHA1:

0F192E4338979376CBB630037E891999B3579C92

SHA256:

3B0C4F9E070D7C620B6D2CC315B57E8A2C849ECD50B9AC53EE4425CCE78FD35F

SSDEEP:

98304:DarpZ1+6zudBEqRXjDv62clp974bA7HvPsPSGkCpKs+YXD93VXFjiHq79e0Sfe2V:2d53PLUFa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ColaBoxChecker.exe (PID: 6936)
      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Drops a system driver (possible attempt to evade defenses)

      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • ColaBoxChecker.exe (PID: 6936)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Launching a dropped file

      • ColaBoxChecker.exe (PID: 6936)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)

    • Reads security settings of Internet Explorer

      • nemu-downloader.exe (PID: 6876)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • The process drops C-runtime libraries

      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Potential Corporate Privacy Violation

      • MuMuDownloader.exe (PID: 6756)

    • There is functionality for taking screenshot (YARA)

      • nemu-downloader.exe (PID: 6876)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5780)
      • sc.exe (PID: 5928)
      • sc.exe (PID: 1160)
      • sc.exe (PID: 1128)
      • sc.exe (PID: 2320)

    • Drops 7-zip archiver for unpacking

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Process drops legitimate windows executable

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)

    • The process creates files with name similar to system file names

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Creates/Modifies COM task schedule object

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • regsvr32.exe (PID: 5900)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

  • INFO

    • The sample compiled with chinese language support

      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • The sample compiled with english language support

      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Checks supported languages

      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • ColaBoxChecker.exe (PID: 6936)
      • nemu-downloader.exe (PID: 6876)
      • HyperVChecker.exe (PID: 2288)
      • HyperVChecker.exe (PID: 3788)
      • MuMuDownloader.exe (PID: 6756)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • HyperVChecker.exe (PID: 5772)
      • MuMuVMMSVC.exe (PID: 472)
      • NetLwfUninstall.exe (PID: 1944)
      • SUPUninstall.exe (PID: 5712)
      • MuMuVMMSVC.exe (PID: 4512)
      • SUPInstall.exe (PID: 1508)
      • SUPUninstall.exe (PID: 6840)

    • Create files in a temporary directory

      • nemu-downloader.exe (PID: 6876)
      • MuMu_5.0.1_oTSYJNC.exe (PID: 5240)
      • MuMuDownloader.exe (PID: 6756)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • ColaBoxChecker.exe (PID: 6936)

    • Reads the computer name

      • nemu-downloader.exe (PID: 6876)
      • MuMuDownloader.exe (PID: 6756)
      • ColaBoxChecker.exe (PID: 6936)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)
      • MuMuVMMSVC.exe (PID: 472)
      • NetLwfUninstall.exe (PID: 1944)
      • MuMuVMMSVC.exe (PID: 4512)
      • SUPUninstall.exe (PID: 5712)
      • SUPInstall.exe (PID: 1508)
      • SUPUninstall.exe (PID: 6840)

    • Reads the software policy settings

      • nemu-downloader.exe (PID: 6876)
      • slui.exe (PID: 3396)

    • Reads the machine GUID from the registry

      • MuMuDownloader.exe (PID: 6756)

    • Creates files in the program directory

      • nemu-downloader.exe (PID: 6876)
      • MuMu-setup-V5.6.1.1733-overseas-0912180534.exe (PID: 5188)

    • Checks proxy server information

      • slui.exe (PID: 3396)

    • Process checks computer location settings

      • nemu-downloader.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:15 13:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 197632
UninitializedDataSize: -
EntryPoint: 0x7c84
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 22.0.0.0
ProductVersionNumber: 22.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NetEase, Inc.
FileDescription: MuMuPlayer
FileVersion: 2022
InternalName: 7zS2.sfx
LegalCopyright: Copyright (C) 2022
OriginalFileName: NemuDownloader.exe
ProductName: MuMuPlayer
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
47
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mumu_5.0.1_otsyjnc.exe nemu-downloader.exe colaboxchecker.exe conhost.exe no specs hypervchecker.exe no specs conhost.exe no specs hypervchecker.exe no specs conhost.exe no specs hypervchecker.exe no specs conhost.exe no specs mumudownloader.exe conhost.exe no specs slui.exe mumu-setup-v5.6.1.1733-overseas-0912180534.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs mumuvmmsvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs mumuvmmsvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs netlwfuninstall.exe no specs conhost.exe no specs supuninstall.exe no specs conhost.exe no specs supuninstall.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs supinstall.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs conhost.exe no specs conhost.exe no specs mumu_5.0.1_otsyjnc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472"C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServerC:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Company:
NetEase Corporation
Integrity Level:
HIGH
Description:
MuMuVMM Interface
Exit code:
0
Version:
6.1.36.152435
Modules
Images
c:\program files\mumuvmmvbox\hypervisor\mumuvmmsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeColaBoxChecker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHyperVChecker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\WINDOWS\system32\sc.exe" query MuMuVMMDrvC:\Windows\SysWOW64\sc.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1160"C:\WINDOWS\system32\sc.exe" query MuMuVMMDrvC:\Windows\SysWOW64\sc.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1388"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"C:\Windows\SysWOW64\regsvr32.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1508"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe" C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\mumuvmmvbox\loadeddrivers\supinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\mumuvmmvbox\loadeddrivers\msvcr100.dll
c:\program files\mumuvmmvbox\loadeddrivers\mumuvmmrt.dll
c:\program files\mumuvmmvbox\loadeddrivers\msvcp100.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
1740"C:\WINDOWS\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"C:\Windows\SysWOW64\regsvr32.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1944"C:\Program Files\MuMuVMMVbox\Hypervisor\NetLwfUninstall.exe" C:\Program Files\MuMuVMMVbox\Hypervisor\NetLwfUninstall.exeMuMu-setup-V5.6.1.1733-overseas-0912180534.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\mumuvmmvbox\hypervisor\netlwfuninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2220 /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
6 094
Read events
6 075
Write events
19
Delete events
0

Modification events

(PID) Process:(6876) nemu-downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NemuServer
Operation:writeName:uuid
Value:
5f3e8012-92de-4180-a2e0-cd0ab109b285
(PID) Process:(6876) nemu-downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NemuServer
Operation:writeName:channel
Value:
aff
(PID) Process:(6876) nemu-downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NemuServer
Operation:writeName:campaign
Value:
352993
(PID) Process:(6876) nemu-downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NemuServer
Operation:writeName:package
Value:
mumu
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:InprocServer32
Value:
C:\WINDOWS\system32\oleaut32.dll
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:InprocServer32
Value:
C:\WINDOWS\system32\oleaut32.dll
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:InprocServer32
Value:
C:\WINDOWS\system32\oleaut32.dll
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_CLASSES_ROOT\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:InprocServer32
Value:
C:\WINDOWS\system32\oleaut32.dll
(PID) Process:(5188) MuMu-setup-V5.6.1.1733-overseas-0912180534.exeKey:HKEY_CLASSES_ROOT\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
838
Suspicious files
425
Text files
2 195
Unknown types
0

Dropped files

PID
Process
Filename
Type
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\winring0x64.catbinary
MD5:E7CEE7F541C057F490D486927D659122
SHA256:317D01D9956F052D929FDBAC258F1A2DC5163D3432FC488023A1F4D332AE3D45
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\winring0.catbinary
MD5:5691A9B76C5B0BD1DD83687F5F0E87A1
SHA256:784E031565C67F1D29640C62F0CC205D5B56C1F78BE894252CCE06474B64A618
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\WinRing0.infbinary
MD5:F069F20871CB316BFB73C276393D1648
SHA256:07942017E8CAAA1065867AECC561577199E53142545CB6FB41239AE4C607D46B
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\config.initext
MD5:93D8902A85FA8A5BB38C701079E5B501
SHA256:EF36A66D0FD2F1981AA3800496C2338B4E6AEC026563E233C5A52DD5E1029CCB
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\skin.zipcompressed
MD5:C01004C761BE512F82C0DE3AAB2D98A2
SHA256:66C5A482416D2FB27E98077D6B4E633BA5A87FBFB84355BB2C1BB1E195549568
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\vcruntime140.dllexecutable
MD5:1E6E97D60D411A2DEE8964D3D05ADB15
SHA256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\nemu-downloader.exeexecutable
MD5:927FF00C368BC038C3A65AAD62240118
SHA256:D971CA14A370C10D165008A8E60F2CEB5DDF40C8C32DBF50504BC03429CED283
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\MuMuDownloader.exeexecutable
MD5:2F3D77B4F587F956E9987598B0A218EB
SHA256:2F980C56D81F42BA47DC871A04406976DC490DED522131CE9A2E35C40CA8616E
6756MuMuDownloader.exeC:\Users\admin\AppData\Local\Temp\MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
MD5:
SHA256:
5240MuMu_5.0.1_oTSYJNC.exeC:\Users\admin\AppData\Local\Temp\7z8A53F478\msvcp140.dllexecutable
MD5:FF877A5DFFD764197250BD4BA28496B1
SHA256:83F935454AE8E450B6F042509ECF28CCEFF95EDB2495C63A782B9D45C2EAF1C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
42
DNS requests
25
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
6876
nemu-downloader.exe
GET
200
76.223.88.1:80
http://76.223.88.1/v2/?domain=a11.gdl.easebar.com
US
binary
88 b
unknown
6756
MuMuDownloader.exe
GET
213.155.157.160:80
http://213.155.157.160:80/MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
SE
unknown
6756
MuMuDownloader.exe
GET
213.155.157.160:80
http://213.155.157.160:80/MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
SE
unknown
6756
MuMuDownloader.exe
GET
213.155.157.160:80
http://213.155.157.160:80/MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
SE
unknown
6756
MuMuDownloader.exe
GET
213.155.157.160:80
http://213.155.157.160:80/MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
SE
unknown
4224
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
6756
MuMuDownloader.exe
GET
213.155.157.160:80
http://213.155.157.160:80/MuMu-setup-V5.6.1.1733-overseas-0912180534.exe
SE
unknown
2112
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
407 b
whitelisted
2112
SIHClient.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
DE
binary
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3644
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6876
nemu-downloader.exe
34.36.47.246:443
api.mumuglobal.com
GOOGLE-CLOUD-PLATFORM
US
unknown
6876
nemu-downloader.exe
23.215.21.22:443
dns.update.easebar.com
Akamai International B.V.
US
unknown
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
api.mumuglobal.com
  • 34.36.47.246
unknown
dns.update.easebar.com
  • 23.215.21.22
unknown
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
a11.gdl.easebar.com
  • 2.19.126.157
  • 2.19.126.142
malicious
login.live.com
  • 40.126.32.68
  • 20.190.160.132
  • 20.190.160.22
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.138
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 23.63.118.230
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
6756
MuMuDownloader.exe
A Network Trojan was detected
ET USER_AGENTS Aria2 User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MuMu_5.0.1_oTSYJNC.exe