File name:

0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe

Full analysis: https://app.any.run/tasks/0ed6e0a0-7223-4063-b2e5-0b3f7b674ace
Verdict: Malicious activity
Threats:

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 17:41:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
auto-reg
ramnit
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

28FDF3798C03ACBE689F34322DA58B95

SHA1:

A720A6E3CD3ABB193612301DFC3003FA3670352A

SHA256:

0F0701E36E181A2FAB0F2644B8E4BF855291605CA29B761105A86AE335E29FDB

SSDEEP:

3072:ghTEMc3vNDep2ZjIYLS+L6QdZ35wu1MOVw0cwrqXENQ67XyMHQjXhIHx6tTbL4O:ATEMsDedYLS+G/ZOXNrXyjXh9tTb0O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RAMNIT has been detected (SURICATA)

      • svchost.exe (PID: 2612)

    • Connects to the CnC server

      • svchost.exe (PID: 2612)

    • Create files in the Startup directory

      • svchost.exe (PID: 2612)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2612)
      • qytemwsg.exe (PID: 4832)
      • qytemwsg.exe (PID: 5288)

    • UAC/LUA settings modification

      • qytemwsg.exe (PID: 4832)
      • qytemwsg.exe (PID: 5288)

    • Creates or modifies Windows services

      • qytemwsg.exe (PID: 4832)

    • Changes Security Center notification settings

      • qytemwsg.exe (PID: 4832)
      • qytemwsg.exe (PID: 5288)

    • Changes firewall settings

      • qytemwsg.exe (PID: 4832)

    • Disables Windows firewall

      • qytemwsg.exe (PID: 4832)

    • Changes the login/logoff helper path in the registry

      • qytemwsg.exe (PID: 4832)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6236)
      • jsmlocel.exe (PID: 7044)
      • svchost.exe (PID: 2612)

    • Application launched itself

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6948)
      • jsmlocel.exe (PID: 1800)
      • qytemwsg.exe (PID: 6240)
      • qytemwsg.exe (PID: 4744)

    • Starts itself from another location

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6236)

    • Creates a software uninstall entry

      • sdbinst.exe (PID: 32)

    • The executable file from the user directory is run by the CMD process

      • qytemwsg.exe (PID: 4744)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2612)

    • Starts CMD.EXE for commands execution

      • jsmlocel.exe (PID: 7044)

    • There is functionality for taking screenshot (YARA)

      • svchost.exe (PID: 2612)
      • svchost.exe (PID: 2508)

    • Reads security settings of Internet Explorer

      • jsmlocel.exe (PID: 7044)
      • ShellExperienceHost.exe (PID: 4088)

  • INFO

    • Checks supported languages

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6948)
      • jsmlocel.exe (PID: 1800)
      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6236)
      • jsmlocel.exe (PID: 7044)
      • qytemwsg.exe (PID: 4744)
      • qytemwsg.exe (PID: 6240)
      • ShellExperienceHost.exe (PID: 4088)
      • qytemwsg.exe (PID: 4832)
      • qytemwsg.exe (PID: 5288)

    • Create files in a temporary directory

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6236)
      • jsmlocel.exe (PID: 7044)

    • Reads the computer name

      • 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe (PID: 6236)
      • jsmlocel.exe (PID: 7044)
      • ShellExperienceHost.exe (PID: 4088)
      • qytemwsg.exe (PID: 5288)
      • qytemwsg.exe (PID: 4832)

    • Creates files or folders in the user directory

      • jsmlocel.exe (PID: 7044)

    • Launching a file from the Startup directory

      • svchost.exe (PID: 2612)

    • Process checks computer location settings

      • jsmlocel.exe (PID: 7044)

    • UPX packer has been detected

      • svchost.exe (PID: 2612)
      • svchost.exe (PID: 2508)

    • Creates files in the program directory

      • svchost.exe (PID: 2612)

    • Launching a file from a Registry key

      • svchost.exe (PID: 2612)
      • qytemwsg.exe (PID: 4832)
      • qytemwsg.exe (PID: 5288)

    • Manual execution by a user

      • qytemwsg.exe (PID: 6240)

    • Checks proxy server information

      • slui.exe (PID: 7108)

    • Reads the software policy settings

      • slui.exe (PID: 7108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1979:12:01 01:33:44+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 116
CodeSize: 54784
InitializedDataSize: 203264
UninitializedDataSize: -
EntryPoint: 0x173c
OSVersion: 23726.19626
ImageVersion: 17435.48077
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
24
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe no specs 0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe jsmlocel.exe no specs jsmlocel.exe #RAMNIT svchost.exe svchost.exe no specs sdbinst.exe no specs sdbinst.exe conhost.exe no specs iscsicli.exe no specs iscsicli.exe conhost.exe no specs sdbinst.exe no specs sdbinst.exe conhost.exe no specs cmd.exe conhost.exe no specs qytemwsg.exe no specs slui.exe qytemwsg.exe shellexperiencehost.exe no specs qytemwsg.exe no specs qytemwsg.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\WINDOWS\SysWOW64\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb"C:\Windows\SysWOW64\sdbinst.exe
jsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Application Compatibility Database Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sdbinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1712"C:\WINDOWS\system32\sdbinst.exe" /q /u "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb"C:\Windows\SysWOW64\sdbinst.exejsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Application Compatibility Database Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sdbinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1800C:\Users\admin\AppData\Local\Temp\jsmlocel.exeC:\Users\admin\AppData\Local\Temp\jsmlocel.exe0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jsmlocel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeiscsicli.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2508C:\WINDOWS\system32\svchost.exeC:\Windows\SysWOW64\svchost.exejsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
2612C:\WINDOWS\system32\svchost.exeC:\Windows\SysWOW64\svchost.exe
jsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
2628"C:\WINDOWS\SysWOW64\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\qytemwsg.exe""C:\Windows\SysWOW64\cmd.exe
jsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesdbinst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3108"C:\WINDOWS\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb"C:\Windows\SysWOW64\sdbinst.exejsmlocel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Application Compatibility Database Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sdbinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
6 085
Read events
5 926
Write events
155
Delete events
4

Modification events

(PID) Process:(2612) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AwxGhpxi
Value:
C:\Users\admin\AppData\Local\rqgtwpor\awxghpxi.exe
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe
Operation:writeName:{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
Value:
29E2EA0FFA1CDC01
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
Operation:writeName:DisplayName
Value:
iscsicli
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
Operation:writeName:UninstallString
Value:
%windir%\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\CustomSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb"
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}
Operation:writeName:DatabasePath
Value:
C:\WINDOWS\AppPatch\CustomSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}
Operation:writeName:DatabaseType
Value:
65536
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}
Operation:writeName:DatabaseRuntimePlatform
Value:
4
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}
Operation:writeName:DatabaseDescription
Value:
iscsicli
(PID) Process:(32) sdbinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}
Operation:writeName:DatabaseInstallTimeStamp
Value:
29E2EA0FFA1CDC01
(PID) Process:(7044) jsmlocel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe
Operation:delete keyName:(default)
Value:
Executable files
4
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
62360f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exeC:\Users\admin\AppData\Local\Temp\jsmlocel.exeexecutable
MD5:28FDF3798C03ACBE689F34322DA58B95
SHA256:0F0701E36E181A2FAB0F2644B8E4BF855291605CA29B761105A86AE335E29FDB
7044jsmlocel.exeC:\Users\admin\AppData\Local\Temp\qytemwsg.exeexecutable
MD5:28FDF3798C03ACBE689F34322DA58B95
SHA256:0F0701E36E181A2FAB0F2644B8E4BF855291605CA29B761105A86AE335E29FDB
2612svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awxghpxi.exeexecutable
MD5:28FDF3798C03ACBE689F34322DA58B95
SHA256:0F0701E36E181A2FAB0F2644B8E4BF855291605CA29B761105A86AE335E29FDB
2612svchost.exeC:\ProgramData\hxlhdlil.logtext
MD5:B5BA7BF2D2B14FE45B91E11D5D987B94
SHA256:5358259F09AD7F0D05BDAE58EF46B5823742BA5D000ABA6B0ED6CD2B787AEC48
2612svchost.exeC:\Users\admin\AppData\Local\rqgtwpor\awxghpxi.exeexecutable
MD5:28FDF3798C03ACBE689F34322DA58B95
SHA256:0F0701E36E181A2FAB0F2644B8E4BF855291605CA29B761105A86AE335E29FDB
7044jsmlocel.exeC:\Users\admin\AppData\LocalLow\cmd.admin.battext
MD5:A93BA8112D1B524DBDD8E50AB38C60B1
SHA256:E202C0A3C2968B23688EB2C9E6EDA8192BA8A4317C4275017590247F5BD46306
7044jsmlocel.exeC:\Users\admin\AppData\LocalLow\com.admin.sdbbinary
MD5:6E0BDB9E821A27BF740C98D6A60594BC
SHA256:04176B2414414FCB81100FAC2DD5D42BD8C50038F414A61714838D9387D8C1F1
32sdbinst.exeC:\Windows\apppatch\CustomSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdbbinary
MD5:6E0BDB9E821A27BF740C98D6A60594BC
SHA256:04176B2414414FCB81100FAC2DD5D42BD8C50038F414A61714838D9387D8C1F1
2612svchost.exeC:\Users\admin\AppData\Local\ttdjftbk.logbinary
MD5:5B41ED5F6E69A2837B1EE23486532D05
SHA256:CFA8DC53F0BACF67E129EDF9062D2B7357EFDB31EA3420B848810197196375F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
52
DNS requests
29
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1976
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1976
RUXIMICS.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
unknown
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1976
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1976
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1976
RUXIMICS.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.73
  • 20.190.159.75
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.128
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
b18w187yebsoi.com
unknown
fkbpvfnbhfwedagussg.com
unknown
eukbhtrjtp.com
  • 34.253.60.188
unknown

Threats

PID
Process
Class
Message
2612
svchost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
2612
svchost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
Process
Message
qytemwsg.exe
CheckBypassed ok
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0f0701e36e181a2fab0f2644b8e4bf855291605ca29b761105a86ae335e29fdb.exe