File name:

RMS.exe

Full analysis: https://app.any.run/tasks/2bdf01c6-b3ca-4f2b-90ae-63edc1b0ee6e
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 09, 2025, 16:54:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rms
rat
auto-sch
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

3BBB8791FB75D937022D971EA1909A2E

SHA1:

CCAF5983E3815A55EC1E916AA403E41FFDDCDC49

SHA256:

8A142D760D0DED880220B9CE3C88B918423BD214DF3BB04C6910EC5A21442EDB

SSDEEP:

98304:r5Z+LGpsmLcngsaAYbx12n6qwjVLJ5mFTb1pQGzr7LNhJkX7dqClM54PyOIRXs0S:B+hFPNZbc2EeJUO9WLcb0f0UJiZK8Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RMS has been detected

      • regedit.exe (PID: 6948)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)

    • Known privilege escalation attack

      • dllhost.exe (PID: 1328)

    • Drop RMS (RAT) executable file

      • RMS.exe (PID: 1984)

    • RMS mutex has been found

      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)

    • Uses Task Scheduler to autorun other applications

      • RMS.exe (PID: 1984)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6700)

    • RMS has been detected (YARA)

      • rfusclient.exe (PID: 2136)
      • rutserv.exe (PID: 3940)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)

    • Starts POWERSHELL.EXE for commands execution

      • RMS.exe (PID: 5368)
      • powershell.exe (PID: 3676)

    • Possibly malicious use of IEX has been detected

      • RMS.exe (PID: 5368)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 3676)
      • cmstp.exe (PID: 5060)

    • BASE64 encoded PowerShell command has been detected

      • RMS.exe (PID: 5368)
      • powershell.exe (PID: 3676)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 3676)

    • Application launched itself

      • powershell.exe (PID: 3676)
      • rfusclient.exe (PID: 2136)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 5456)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5080)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 5080)
      • RMS.exe (PID: 1984)

    • Write to the desktop.ini file (may be used to cloak folders)

      • RMS.exe (PID: 1984)

    • Uses ATTRIB.EXE to modify file attributes

      • RMS.exe (PID: 1984)

    • Uses REG/REGEDIT.EXE to modify registry

      • RMS.exe (PID: 1984)

    • Reads the date of Windows installation

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Starts CMD.EXE for commands execution

      • RMS.exe (PID: 1984)

    • Executes as Windows Service

      • rutserv.exe (PID: 3940)

    • Adds/modifies Windows certificates

      • rutserv.exe (PID: 3940)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 1328)

    • Connects to unusual port

      • rutserv.exe (PID: 3940)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6700)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 6700)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Accesses name of a user that is currently logged on via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 6700)

    • Potential Corporate Privacy Violation

      • rutserv.exe (PID: 3940)

  • INFO

    • Checks supported languages

      • RMS.exe (PID: 5368)
      • csc.exe (PID: 5080)
      • cvtres.exe (PID: 2648)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 4664)

    • The sample compiled with english language support

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)

    • Process checks computer location settings

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Reads the computer name

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 4664)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Disables trace logs

      • cmstp.exe (PID: 5060)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 5060)

    • Create files in a temporary directory

      • csc.exe (PID: 5080)
      • cvtres.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5080)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 3940)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 2976)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Creates files in the program directory

      • dllhost.exe (PID: 1328)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)

    • Reads product name

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Reads Windows Product ID

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rutserv.exe (PID: 2976)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Reads Environment values

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Reads the software policy settings

      • rutserv.exe (PID: 3940)
      • slui.exe (PID: 7016)

    • Manual execution by a user

      • verclsid.exe (PID: 5928)
      • wscript.exe (PID: 3572)

    • Compiled with Borland Delphi (YARA)

      • rfusclient.exe (PID: 2136)
      • rutserv.exe (PID: 3940)

    • Checks proxy server information

      • slui.exe (PID: 7016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (54)
.exe | InstallShield setup (21.2)
.exe | Win32 EXE PECompact compressed (generic) (20.4)
.exe | Win32 Executable (generic) (2.2)
.exe | Generic Win/DOS Executable (0.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:31 15:37:20+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2200064
InitializedDataSize: 53009920
UninitializedDataSize: -
EntryPoint: 0x21a408
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
35
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rms.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs cmstp.exe no specs CMSTPLUA no specs csc.exe no specs cvtres.exe no specs rms.exe no specs attrib.exe no specs conhost.exe no specs regedit.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe rfusclient.exe no specs rfusclient.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs verclsid.exe no specs taskkill.exe no specs conhost.exe no specs rfusclient.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1212"C:\Windows\System32\cmd.exe" /c cd /d "C:\Program Files (x86)\Remote Manipulator System - Host\" && rutserv.exe /silentinstall && rutserv.exe /firewall && rutserv.exe /start && exitC:\Windows\System32\cmd.exeRMS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1660rutserv.exe /start C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.execmd.exe
User:
admin
Company:
TektonIT
Integrity Level:
HIGH
Description:
RMS
Exit code:
0
Version:
7.6.2.0
Modules
Images
c:\program files (x86)\remote manipulator system - host\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
1984C:\Users\admin\AppData\Local\Temp\RMS.exeC:\Users\admin\AppData\Local\Temp\RMS.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rms.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2120"C:\Windows\System32\schtasks.exe" /create /tn "Microsoft\Windows\Windows Setting Factory\DayX" /f /tr "wscript.exe """C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.vbs"""" /sc ONLOGONC:\Windows\System32\schtasks.exeRMS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exerutserv.exe
User:
SYSTEM
Company:
TektonIT
Integrity Level:
SYSTEM
Description:
RMS
Version:
7.6.2.0
Modules
Images
c:\program files (x86)\remote manipulator system - host\rfusclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
2228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 689
Read events
22 637
Write events
48
Delete events
4

Modification events

(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5060) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(1328) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(1328) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
11
Suspicious files
4
Text files
11
Unknown types
6

Dropped files

PID
Process
Filename
Type
5456powershell.exeC:\Users\admin\AppData\Local\Temp\plquui4v.0.cstext
MD5:BC95914CE05E4FC603E3DB980B0A35F8
SHA256:27D9776ED21A5A87F3E21C2E90B7FEB34F1C75C7F0C81E935E668C6C2597F49B
3676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a2ydfhff.vuk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_byflbm5y.d4t.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1984RMS.exeC:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllexecutable
MD5:6610A420C60C420FDE9394F651DE6B92
SHA256:A80225CF40C2824327D50601AE067383DD53D45FDF0E2C064408E7F3EEF6D891
5080csc.exeC:\Users\admin\AppData\Local\Temp\plquui4v.outtext
MD5:1A73298D574AA6DB59E4D271502F7641
SHA256:D22441980C808326E90D376CC6E65CA7DE70AA4B564484B85A0A33317EB89245
1984RMS.exeC:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeexecutable
MD5:808E5776D6082C5E319E511D4FA46E4F
SHA256:3FBC7DCE8B68E66822EFDCF09217BCB66372FCB09C03B0B684281EAF404A309D
5456powershell.exeC:\Users\admin\AppData\Local\Temp\plquui4v.cmdlinetext
MD5:5727E61AF3A0752F8BE695ED44C5F135
SHA256:F254B7566F1191AD4894D63A387BE20E58794FF02458A85492F8810E572003CE
2648cvtres.exeC:\Users\admin\AppData\Local\Temp\RES8F5F.tmpo
MD5:22505033ABA71CF3F377D31EEBBB49FB
SHA256:AE29584739C9293F71BDA793589F34DDAB1FB0EDEC776D9B25DCF5BE533BAB5F
5456powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:6296D1663383CC6874886CC4938AF96D
SHA256:E27FF43E81CD5FBAB14BF2FA73ABE15AC170FC097C26D665842410D0B0630589
1984RMS.exeC:\Program Files (x86)\Remote Manipulator System - Host\desktop.initext
MD5:8E66504AB5342647CB35403B78A4724E
SHA256:7E409816D34D28CA5CCE0B7FC5B977D33AA234D2F27799DBCA7BAAB239F3295F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7072
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
892
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
892
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDHZGDpDihE23%2BYNrMw%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3936
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7072
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7072
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 72.246.169.155
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.131
  • 20.190.160.2
  • 40.126.32.68
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
3940
rutserv.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] Remote Access Tool Has been detected
Process
Message
rutserv.exe
TMainService.Start
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RMS.exe