File name:

rutserv.exe

Full analysis: https://app.any.run/tasks/0ba1e2f4-002e-4a92-a7b5-034ff23d8e73
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 03:49:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
rms
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

41DC282CBF89B0737AE6DD2DE5A71015

SHA1:

4AAC4BAFAF43BE690089549584770F9E88630B45

SHA256:

B8049A022430C34F0B8B3C9F357A9AFA4FD6CB940B7353A610D1F53FB5BF471C

SSDEEP:

196608:anhOP/yO920X/pYwSsfCMrCTSFXpoFZnEI6TNnXG8QItwZr/dJnvu9b9PjpA6:ihOPadU/RXKgBZwnCYZr/n29h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drop RMS (RAT) executable file

      • rutserv.exe (PID: 1392)

    • RMS mutex has been found

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • RMS is detected

      • rutserv.exe (PID: 5644)

    • RMS has been detected (YARA)

      • rutserv.exe (PID: 5644)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Application launched itself

      • rutserv.exe (PID: 1392)

  • INFO

    • Checks supported languages

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Reads the computer name

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • The sample compiled with english language support

      • rutserv.exe (PID: 1392)

    • Reads product name

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Reads Environment values

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Reads Windows Product ID

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Process checks computer location settings

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Reads the machine GUID from the registry

      • rutserv.exe (PID: 1392)
      • rutserv.exe (PID: 5644)

    • Creates files or folders in the user directory

      • rutserv.exe (PID: 5644)

    • Reads CPU info

      • rutserv.exe (PID: 5644)

    • Compiled with Borland Delphi (YARA)

      • rutserv.exe (PID: 5644)

    • Checks proxy server information

      • slui.exe (PID: 4836)

    • Reads the software policy settings

      • slui.exe (PID: 4836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:09:01 22:31:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 15514624
InitializedDataSize: 5255168
UninitializedDataSize: -
EntryPoint: 0xecd990
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.1.7.0
ProductVersionNumber: 7.1.7.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: TektonIT
FileDescription: RMS
FileVersion: 7.1.7.0
LegalCopyright: Copyright © 2022 TektonIT. Ter-Osipov Alex. All rights reserved.
LegalTrademarks: Remote Manipulator System, TektonIT
ProductName: Remote Manipulator System
ProductVersion: 7.1.7.0
ProgramID: ru.rmansys.rutserv
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RMS rutserv.exe #RMS rutserv.exe slui.exe rutserv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exe
explorer.exe
User:
admin
Company:
TektonIT
Integrity Level:
HIGH
Description:
RMS
Exit code:
0
Version:
7.1.7.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
3504"C:\Users\admin\Desktop\rutserv.exe" C:\Users\admin\Desktop\rutserv.exeexplorer.exe
User:
admin
Company:
TektonIT
Integrity Level:
MEDIUM
Description:
RMS
Exit code:
3221226540
Version:
7.1.7.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4836C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5644C:\Users\admin\Desktop\rutserv.exe -run_agent -secondC:\Users\admin\Desktop\rutserv.exe
rutserv.exe
User:
SYSTEM
Company:
TektonIT
Integrity Level:
SYSTEM
Description:
RMS
Version:
7.1.7.0
Modules
Images
c:\users\admin\desktop\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 236
Read events
8 231
Write events
5
Delete events
0

Modification events

(PID) Process:(5644) rutserv.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters
Operation:writeName:General
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C67656E6572616C5F73657474696E67732076657273696F6E3D223730313730223E3C706F72743E353635303C2F706F72743E3C686964655F747261795F69636F6E5F706F7075705F6D656E753E66616C73653C2F686964655F747261795F69636F6E5F706F7075705F6D656E753E3C747261795F6D656E755F686964655F73746F703E66616C73653C2F747261795F6D656E755F686964655F73746F703E3C6C616E67756167653E3C2F6C616E67756167653E3C63616C6C6261636B5F6175746F5F636F6E6E6563743E747275653C2F63616C6C6261636B5F6175746F5F636F6E6E6563743E3C63616C6C6261636B5F636F6E6E6563745F696E74657276616C3E36303C2F63616C6C6261636B5F636F6E6E6563745F696E74657276616C3E3C70617373776F72645F646174613E3C2F70617373776F72645F646174613E3C70726F746563745F63616C6C6261636B5F73657474696E67733E66616C73653C2F70726F746563745F63616C6C6261636B5F73657474696E67733E3C70726F746563745F696E65745F69645F73657474696E67733E66616C73653C2F70726F746563745F696E65745F69645F73657474696E67733E3C7573655F6C65676163795F636170747572653E66616C73653C2F7573655F6C65676163795F636170747572653E3C646F5F6E6F745F636170747572655F7264703E66616C73653C2F646F5F6E6F745F636170747572655F7264703E3C7573655F69705F765F363E747275653C2F7573655F69705F765F363E3C6C6F675F7573653E747275653C2F6C6F675F7573653E3C6C6F675F7573655F77696E646F77733E66616C73653C2F6C6F675F7573655F77696E646F77733E3C636861745F636C69656E745F73657474696E67733E3C2F636861745F636C69656E745F73657474696E67733E3C617574685F6B65795F737472696E673E3C2F617574685F6B65795F737472696E673E3C7369645F69643E34353837302E313539333832313532383C2F7369645F69643E3C6E6F746966795F73686F775F70616E656C3E747275653C2F6E6F746966795F73686F775F70616E656C3E3C6E6F746966795F6368616E67655F747261795F69636F6E3E747275653C2F6E6F746966795F6368616E67655F747261795F69636F6E3E3C6E6F746966795F62616C6C6F6E5F68696E743E66616C73653C2F6E6F746966795F62616C6C6F6E5F68696E743E3C6E6F746966795F706C61795F736F756E643E66616C73653C2F6E6F746966795F706C61795F736F756E643E3C6E6F746966795F70616E656C5F783E2D313C2F6E6F746966795F70616E656C5F783E3C6E6F746966795F70616E656C5F793E2D313C2F6E6F746966795F70616E656C5F793E3C70726F78795F73657474696E67733E3C2F70726F78795F73657474696E67733E3C6164646974696F6E616C3E3C2F6164646974696F6E616C3E3C64697361626C655F696E7465726E65745F69643E66616C73653C2F64697361626C655F696E7465726E65745F69643E3C736166655F6D6F64655F7365743E66616C73653C2F736166655F6D6F64655F7365743E3C73686F775F69645F6E6F74696669636174696F6E3E66616C73653C2F73686F775F69645F6E6F74696669636174696F6E3E3C73686F775F69645F6E6F74696669636174696F6E5F726571756573743E66616C73653C2F73686F775F69645F6E6F74696669636174696F6E5F726571756573743E3C696E746567726174655F6669726577616C6C5F61745F737461727475703E66616C73653C2F696E746567726174655F6669726577616C6C5F61745F737461727475703E3C636C6970626F6172645F7472616E736665725F6D6F64653E303C2F636C6970626F6172645F7472616E736665725F6D6F64653E3C636C6F73655F73657373696F6E5F69646C653E66616C73653C2F636C6F73655F73657373696F6E5F69646C653E3C636C6F73655F73657373696F6E5F69646C655F696E74657276616C3E36303C2F636C6F73655F73657373696F6E5F69646C655F696E74657276616C3E3C73686F775F636F6E6E656374696F6E5F616C6572745F666F725F616C6C3E66616C73653C2F73686F775F636F6E6E656374696F6E5F616C6572745F666F725F616C6C3E3C2F67656E6572616C5F73657474696E67733E0D0A
(PID) Process:(5644) rutserv.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters
Operation:writeName:InternetId
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223730313730223E3C696E7465726E65745F69643E3C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E66616C73653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C696E65745F69645F7573655F70696E3E66616C73653C2F696E65745F69645F7573655F70696E3E3C696E65745F69645F70696E3E3C2F696E65745F69645F70696E3E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:(5644) rutserv.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters
Operation:writeName:Security
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C73656375726974795F73657474696E67732076657273696F6E3D223730313730223E3C77696E646F77735F73656375726974793E3C2F77696E646F77735F73656375726974793E3C73696E676C655F70617373776F72645F686173683E3C2F73696E676C655F70617373776F72645F686173683E3C6D795F757365725F6163636573735F6C6973743E3C757365725F6163636573735F6C6973742F3E3C2F6D795F757365725F6163636573735F6C6973743E3C69705F66696C7465725F747970653E323C2F69705F66696C7465725F747970653E3C69705F626C61636B5F6C6973743E3C2F69705F626C61636B5F6C6973743E3C69705F77686974655F6C6973743E3C2F69705F77686974655F6C6973743E3C617574685F6B696E643E303C2F617574685F6B696E643E3C6F74705F656E61626C653E66616C73653C2F6F74705F656E61626C653E3C6F74705F707269766174655F6B65793E3C2F6F74705F707269766174655F6B65793E3C6F74705F71725F7365637265743E3C2F6F74705F71725F7365637265743E3C757365725F7065726D697373696F6E735F61736B3E66616C73653C2F757365725F7065726D697373696F6E735F61736B3E3C757365725F7065726D697373696F6E735F696E74657276616C3E31303030303C2F757365725F7065726D697373696F6E735F696E74657276616C3E3C757365725F7065726D697373696F6E735F616C6C6F775F64656661756C743E66616C73653C2F757365725F7065726D697373696F6E735F616C6C6F775F64656661756C743E3C757365725F7065726D697373696F6E735F6F6E6C795F69665F757365725F6C6F676765645F6F6E3E66616C73653C2F757365725F7065726D697373696F6E735F6F6E6C795F69665F757365725F6C6F676765645F6F6E3E3C64697361626C655F72656D6F74655F636F6E74726F6C3E66616C73653C2F64697361626C655F72656D6F74655F636F6E74726F6C3E3C64697361626C655F72656D6F74655F73637265656E3E66616C73653C2F64697361626C655F72656D6F74655F73637265656E3E3C64697361626C655F66696C655F7472616E736665723E66616C73653C2F64697361626C655F66696C655F7472616E736665723E3C64697361626C655F72656469726563743E66616C73653C2F64697361626C655F72656469726563743E3C64697361626C655F74656C6E65743E66616C73653C2F64697361626C655F74656C6E65743E3C64697361626C655F72656D6F74655F657865637574653E66616C73653C2F64697361626C655F72656D6F74655F657865637574653E3C64697361626C655F7461736B5F6D616E616765723E66616C73653C2F64697361626C655F7461736B5F6D616E616765723E3C64697361626C655F73687574646F776E3E66616C73653C2F64697361626C655F73687574646F776E3E3C64697361626C655F72656D6F74655F757067726164653E66616C73653C2F64697361626C655F72656D6F74655F757067726164653E3C64697361626C655F707265766965775F636170747572653E66616C73653C2F64697361626C655F707265766965775F636170747572653E3C64697361626C655F6465766963655F6D616E616765723E66616C73653C2F64697361626C655F6465766963655F6D616E616765723E3C64697361626C655F636861743E66616C73653C2F64697361626C655F636861743E3C64697361626C655F73637265656E5F7265636F72643E66616C73653C2F64697361626C655F73637265656E5F7265636F72643E3C64697361626C655F61765F636170747572653E66616C73653C2F64697361626C655F61765F636170747572653E3C64697361626C655F73656E645F6D6573736167653E66616C73653C2F64697361626C655F73656E645F6D6573736167653E3C64697361626C655F72656769737472793E66616C73653C2F64697361626C655F72656769737472793E3C64697361626C655F61765F636861743E66616C73653C2F64697361626C655F61765F636861743E3C64697361626C655F72656D6F74655F73657474696E67733E66616C73653C2F64697361626C655F72656D6F74655F73657474696E67733E3C64697361626C655F72656D6F74655F7072696E74696E673E66616C73653C2F64697361626C655F72656D6F74655F7072696E74696E673E3C64697361626C655F7264703E66616C73653C2F64697361626C655F7264703E3C637573746F6D5F7365727665725F6C6973743E3C2F637573746F6D5F7365727665725F6C6973743E3C73656C65637465645F637573746F6D5F7365727665725F69643E3C2F73656C65637465645F637573746F6D5F7365727665725F69643E3C637573746F6D5F7365727665725F6163636573733E3C2F637573746F6D5F7365727665725F6163636573733E3C2F73656375726974795F73657474696E67733E0D0A
(PID) Process:(5644) rutserv.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters
Operation:writeName:Certificates
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C636572746966696374655F73657474696E67732076657273696F6E3D223730313730223E3C63657274696669636174653E3C2F63657274696669636174653E3C707269766174655F6B65793E3C2F707269766174655F6B65793E3C2F636572746966696374655F73657474696E67733E0D0A
(PID) Process:(5644) rutserv.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters
Operation:writeName:FUSClientPath
Value:
C:\Users\admin\Desktop\rfusclient.exe
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5644rutserv.exeC:\Users\admin\AppData\Roaming\RMS Agent\Logs\rms_log_2025-08.htmlhtml
MD5:FB9A7CA61A5B026CD1E60E35E216E175
SHA256:EA42C4BFA2D184F2A19F68815581D97B4F2535F3DE78E84CE5454F6D2CFA621D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
51
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4168
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.64
  • 40.126.31.3
  • 40.126.31.69
  • 40.126.31.71
  • 40.126.31.128
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 104.76.201.34
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rutserv.exe