File name:

RMS.exe

Full analysis: https://app.any.run/tasks/2bdf01c6-b3ca-4f2b-90ae-63edc1b0ee6e
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 09, 2025, 16:54:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rms
rat
auto-sch
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

3BBB8791FB75D937022D971EA1909A2E

SHA1:

CCAF5983E3815A55EC1E916AA403E41FFDDCDC49

SHA256:

8A142D760D0DED880220B9CE3C88B918423BD214DF3BB04C6910EC5A21442EDB

SSDEEP:

98304:r5Z+LGpsmLcngsaAYbx12n6qwjVLJ5mFTb1pQGzr7LNhJkX7dqClM54PyOIRXs0S:B+hFPNZbc2EeJUO9WLcb0f0UJiZK8Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 1328)

    • RMS has been detected

      • rutserv.exe (PID: 4664)
      • regedit.exe (PID: 6948)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)

    • Drop RMS (RAT) executable file

      • RMS.exe (PID: 1984)

    • Uses Task Scheduler to autorun other applications

      • RMS.exe (PID: 1984)

    • RMS mutex has been found

      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6700)

    • RMS has been detected (YARA)

      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • RMS.exe (PID: 5368)

    • Starts POWERSHELL.EXE for commands execution

      • RMS.exe (PID: 5368)
      • powershell.exe (PID: 3676)

    • Reads security settings of Internet Explorer

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 3676)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 3676)
      • RMS.exe (PID: 5368)

    • Application launched itself

      • powershell.exe (PID: 3676)
      • rfusclient.exe (PID: 2136)

    • Likely accesses (executes) a file from the Public directory

      • cmstp.exe (PID: 5060)
      • powershell.exe (PID: 3676)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 5456)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 3676)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3676)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5080)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 5080)
      • RMS.exe (PID: 1984)

    • Write to the desktop.ini file (may be used to cloak folders)

      • RMS.exe (PID: 1984)

    • Uses ATTRIB.EXE to modify file attributes

      • RMS.exe (PID: 1984)

    • Starts CMD.EXE for commands execution

      • RMS.exe (PID: 1984)

    • Reads the date of Windows installation

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 4664)

    • Uses REG/REGEDIT.EXE to modify registry

      • RMS.exe (PID: 1984)

    • Executes as Windows Service

      • rutserv.exe (PID: 3940)

    • Adds/modifies Windows certificates

      • rutserv.exe (PID: 3940)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 6700)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6700)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Accesses name of a user that is currently logged on via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 6700)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 6700)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 1328)

    • Connects to unusual port

      • rutserv.exe (PID: 3940)

    • Potential Corporate Privacy Violation

      • rutserv.exe (PID: 3940)

  • INFO

    • Reads the computer name

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 4664)

    • The sample compiled with english language support

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)

    • Checks supported languages

      • RMS.exe (PID: 5368)
      • csc.exe (PID: 5080)
      • cvtres.exe (PID: 2648)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 1660)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 4664)

    • Process checks computer location settings

      • RMS.exe (PID: 5368)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Disables trace logs

      • cmstp.exe (PID: 5060)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 5060)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5080)
      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Create files in a temporary directory

      • cvtres.exe (PID: 2648)
      • csc.exe (PID: 5080)

    • Creates files in the program directory

      • dllhost.exe (PID: 1328)
      • RMS.exe (PID: 1984)
      • rutserv.exe (PID: 4664)

    • Reads Environment values

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 4664)

    • Reads product name

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 4664)

    • Reads Windows Product ID

      • rutserv.exe (PID: 4664)
      • rutserv.exe (PID: 2976)
      • rutserv.exe (PID: 1660)
      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)
      • rfusclient.exe (PID: 6652)
      • rfusclient.exe (PID: 4664)

    • Reads the software policy settings

      • rutserv.exe (PID: 3940)
      • slui.exe (PID: 7016)

    • Manual execution by a user

      • verclsid.exe (PID: 5928)
      • wscript.exe (PID: 3572)

    • Compiled with Borland Delphi (YARA)

      • rutserv.exe (PID: 3940)
      • rfusclient.exe (PID: 2136)

    • Checks proxy server information

      • slui.exe (PID: 7016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (54)
.exe | InstallShield setup (21.2)
.exe | Win32 EXE PECompact compressed (generic) (20.4)
.exe | Win32 Executable (generic) (2.2)
.exe | Generic Win/DOS Executable (0.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:31 15:37:20+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2200064
InitializedDataSize: 53009920
UninitializedDataSize: -
EntryPoint: 0x21a408
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
35
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rms.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs cmstp.exe no specs CMSTPLUA no specs csc.exe no specs cvtres.exe no specs rms.exe no specs attrib.exe no specs conhost.exe no specs regedit.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe rfusclient.exe no specs rfusclient.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs verclsid.exe no specs taskkill.exe no specs conhost.exe no specs rfusclient.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1212"C:\Windows\System32\cmd.exe" /c cd /d "C:\Program Files (x86)\Remote Manipulator System - Host\" && rutserv.exe /silentinstall && rutserv.exe /firewall && rutserv.exe /start && exitC:\Windows\System32\cmd.exeRMS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1660rutserv.exe /start C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.execmd.exe
User:
admin
Company:
TektonIT
Integrity Level:
HIGH
Description:
RMS
Exit code:
0
Version:
7.6.2.0
Modules
Images
c:\program files (x86)\remote manipulator system - host\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
1984C:\Users\admin\AppData\Local\Temp\RMS.exeC:\Users\admin\AppData\Local\Temp\RMS.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rms.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2120"C:\Windows\System32\schtasks.exe" /create /tn "Microsoft\Windows\Windows Setting Factory\DayX" /f /tr "wscript.exe """C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.vbs"""" /sc ONLOGONC:\Windows\System32\schtasks.exeRMS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exerutserv.exe
User:
SYSTEM
Company:
TektonIT
Integrity Level:
SYSTEM
Description:
RMS
Version:
7.6.2.0
Modules
Images
c:\program files (x86)\remote manipulator system - host\rfusclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
2228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 689
Read events
22 637
Write events
48
Delete events
4

Modification events

(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5060) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5060) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(1328) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(1328) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
11
Suspicious files
4
Text files
11
Unknown types
6

Dropped files

PID
Process
Filename
Type
5456powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:6296D1663383CC6874886CC4938AF96D
SHA256:E27FF43E81CD5FBAB14BF2FA73ABE15AC170FC097C26D665842410D0B0630589
5456powershell.exeC:\Users\admin\AppData\Local\Temp\plquui4v.0.cstext
MD5:BC95914CE05E4FC603E3DB980B0A35F8
SHA256:27D9776ED21A5A87F3E21C2E90B7FEB34F1C75C7F0C81E935E668C6C2597F49B
2648cvtres.exeC:\Users\admin\AppData\Local\Temp\RES8F5F.tmpo
MD5:22505033ABA71CF3F377D31EEBBB49FB
SHA256:AE29584739C9293F71BDA793589F34DDAB1FB0EDEC776D9B25DCF5BE533BAB5F
5080csc.exeC:\Users\admin\AppData\Local\Temp\plquui4v.outtext
MD5:1A73298D574AA6DB59E4D271502F7641
SHA256:D22441980C808326E90D376CC6E65CA7DE70AA4B564484B85A0A33317EB89245
1984RMS.exeC:\Program Files (x86)\Remote Manipulator System - Host\desktop.initext
MD5:8E66504AB5342647CB35403B78A4724E
SHA256:7E409816D34D28CA5CCE0B7FC5B977D33AA234D2F27799DBCA7BAAB239F3295F
1984RMS.exeC:\Program Files (x86)\Remote Manipulator System - Host\reg.regtext
MD5:A8E809341F8173032C19F96047E409EC
SHA256:77693488469363661E97A22E019BAEC7CAE402CBC438CDAAD1718E8BEF638BBE
3676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ztssaysm.t5h.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h5auokdh.qpp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a2ydfhff.vuk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5080csc.exeC:\Users\admin\AppData\Local\Temp\CSC9E40F5F8823642B589F139D139ABE61D.TMPres
MD5:41E612286C6BA6A4CFA221B046C97A54
SHA256:161B467E7977BF9E33B923CF0F172521DA682866A4D07AA04A468DB8EDC54550
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7072
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDHZGDpDihE23%2BYNrMw%3D%3D
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
3940
rutserv.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
892
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
892
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3936
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7072
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7072
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 72.246.169.155
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.131
  • 20.190.160.2
  • 40.126.32.68
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
3940
rutserv.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] Remote Access Tool Has been detected
Process
Message
rutserv.exe
TMainService.Start
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RMS.exe