File name:

Message.eml

Full analysis: https://app.any.run/tasks/7b62e787-0f27-4eef-9a9c-8ed0a90d3192
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: January 10, 2026, 09:23:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amazon-ses
github
simplehelp
rmm-tool
adware
loader
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
MD5:

3D8EC137AFA787F2ECDF41C2CB7B27D4

SHA1:

445F479F9482017E7B5AF1CBDB8CDB2DA2D7F512

SHA256:

3934DA7270CE7601DF911F7AAF552B74FE67DACEF53B580158D703542252A2A5

SSDEEP:

384:Lg9AgmsPf2JV0SjPovN3b1280Wz61To/KMKM2u5MlOiFM7oMAjuN6vGdO:LHmf2nPqbiWz61To/KMKMztbN6eO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • S_eStatement.exe (PID: 8296)
      • S_eStatement.exe (PID: 8496)
      • unpack200.exe (PID: 8740)
      • unpack200.exe (PID: 8720)
      • unpack200.exe (PID: 7428)
      • unpack200.exe (PID: 4476)
      • unpack200.exe (PID: 3304)
      • unpack200.exe (PID: 7424)
      • unpack200.exe (PID: 8744)
      • unpack200.exe (PID: 8824)
      • S_eStatement.exe (PID: 6352)
      • S_eStatement.exe (PID: 8804)
      • windowslauncher.exe (PID: 6148)
      • unpack200.exe (PID: 8920)
      • unpack200.exe (PID: 8884)
      • unpack200.exe (PID: 9040)
      • unpack200.exe (PID: 1412)
      • Remote Access.exe (PID: 8696)
      • Remote AccessLauncher.exe (PID: 8912)
      • unpack200.exe (PID: 8944)
      • unpack200.exe (PID: 8088)
      • unpack200.exe (PID: 8796)
      • SimpleService.exe (PID: 9160)
      • SimpleService.exe (PID: 8212)
      • unpack200.exe (PID: 7000)
      • unpack200.exe (PID: 5868)
      • SimpleService.exe (PID: 2668)
      • unpack200.exe (PID: 4516)
      • Remote Access Service.exe (PID: 8816)
      • windowslauncher.exe (PID: 8740)
      • Remote Access.exe (PID: 4292)
      • unpack200.exe (PID: 8840)
      • unpack200.exe (PID: 6648)
      • unpack200.exe (PID: 1068)
      • unpack200.exe (PID: 5888)
      • unpack200.exe (PID: 5464)
      • unpack200.exe (PID: 8696)
      • SimpleService.exe (PID: 9196)
      • S_eStatement.exe (PID: 4028)
      • S_eStatement.exe (PID: 1136)
      • StopSimpleGatewayService.exe (PID: 8244)
      • Remote Access.exe (PID: 6640)
      • S_eStatement.exe (PID: 5732)
      • SimpleService.exe (PID: 6440)
      • S_eStatement.exe (PID: 6976)
      • SimpleService.exe (PID: 7804)
      • SimpleService.exe (PID: 8208)
      • SimpleService.exe (PID: 8816)
      • Remote Access Service.exe (PID: 2228)
      • Remote Access.exe (PID: 8584)
      • SimpleService.exe (PID: 8672)
      • SimpleService.exe (PID: 936)
      • session_win.exe (PID: 8516)
      • elev_win.exe (PID: 792)

    • SIMPLEHELP has been detected

      • msedge.exe (PID: 7216)
      • S_eStatement.exe (PID: 8496)
      • SimpleService.exe (PID: 2668)
      • S_eStatement.exe (PID: 8804)
      • Remote Access Service.exe (PID: 8816)
      • StopSimpleGatewayService.exe (PID: 8244)
      • Remote Access Service.exe (PID: 2228)
      • SimpleService.exe (PID: 936)
      • Remote Access.exe (PID: 8584)
      • session_win.exe (PID: 8516)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)

    • Process drops legitimate windows executable

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)

    • Executable content was dropped or overwritten

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • Remote Access.exe (PID: 8696)
      • Remote Access.exe (PID: 4292)
      • Remote Access.exe (PID: 8584)

    • The process drops C-runtime libraries

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)

    • Access to an unwanted program domain was detected

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)

    • Connects to unusual port

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • Remote Access.exe (PID: 4292)
      • S_eStatement.exe (PID: 4028)
      • Remote Access.exe (PID: 6640)
      • S_eStatement.exe (PID: 6976)
      • Remote Access.exe (PID: 8584)

    • Uses ICACLS.EXE to modify access control lists

      • Remote AccessLauncher.exe (PID: 8912)
      • Remote Access.exe (PID: 8696)
      • S_eStatement.exe (PID: 8496)
      • Remote Access.exe (PID: 4292)
      • S_eStatement.exe (PID: 8804)
      • S_eStatement.exe (PID: 4028)
      • Remote Access.exe (PID: 6640)
      • S_eStatement.exe (PID: 6976)
      • Remote Access.exe (PID: 8584)

    • Executes as Windows Service

      • SimpleService.exe (PID: 2668)
      • SimpleService.exe (PID: 936)

    • Creates or modifies Windows services

      • Remote Access.exe (PID: 4292)
      • Remote Access.exe (PID: 8584)

    • Suspicious use of NETSH.EXE

      • Remote Access.exe (PID: 4292)
      • Remote Access.exe (PID: 8584)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Remote Access.exe (PID: 4292)
      • Remote Access.exe (PID: 8584)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • Remote Access.exe (PID: 8584)

  • INFO

    • Checks supported languages

      • TextInputHost.exe (PID: 8184)
      • identity_helper.exe (PID: 8632)
      • S_eStatement.exe (PID: 8496)
      • unpack200.exe (PID: 8740)
      • unpack200.exe (PID: 8720)
      • unpack200.exe (PID: 7428)
      • unpack200.exe (PID: 3304)
      • unpack200.exe (PID: 7424)
      • unpack200.exe (PID: 8744)
      • unpack200.exe (PID: 8824)
      • S_eStatement.exe (PID: 8804)
      • unpack200.exe (PID: 4476)
      • unpack200.exe (PID: 8920)
      • windowslauncher.exe (PID: 6148)
      • unpack200.exe (PID: 8884)
      • unpack200.exe (PID: 9040)
      • unpack200.exe (PID: 1412)
      • Remote AccessLauncher.exe (PID: 8912)
      • Remote Access.exe (PID: 8696)
      • unpack200.exe (PID: 8944)
      • unpack200.exe (PID: 8088)
      • SimpleService.exe (PID: 9160)
      • unpack200.exe (PID: 8796)
      • unpack200.exe (PID: 7000)
      • SimpleService.exe (PID: 8212)
      • SimpleService.exe (PID: 2668)
      • unpack200.exe (PID: 5868)
      • unpack200.exe (PID: 4516)
      • Remote Access Service.exe (PID: 8816)
      • windowslauncher.exe (PID: 8740)
      • unpack200.exe (PID: 8840)
      • Remote Access.exe (PID: 4292)
      • unpack200.exe (PID: 6648)
      • unpack200.exe (PID: 5888)
      • unpack200.exe (PID: 5464)
      • unpack200.exe (PID: 8696)
      • unpack200.exe (PID: 1068)
      • SimpleService.exe (PID: 9196)
      • S_eStatement.exe (PID: 4028)
      • StopSimpleGatewayService.exe (PID: 8244)
      • SimpleService.exe (PID: 6440)
      • Remote Access.exe (PID: 6640)
      • S_eStatement.exe (PID: 6976)
      • SimpleService.exe (PID: 7804)
      • SimpleService.exe (PID: 8208)
      • SimpleService.exe (PID: 8816)
      • Remote Access Service.exe (PID: 2228)
      • SimpleService.exe (PID: 8672)
      • SimpleService.exe (PID: 936)
      • Remote Access.exe (PID: 8584)
      • session_win.exe (PID: 8516)
      • elev_win.exe (PID: 792)

    • Email came from third-party service (Amazon SES)

      • OUTLOOK.EXE (PID: 7508)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7216)
      • msedge.exe (PID: 7236)

    • Application launched itself

      • msedge.exe (PID: 7216)

    • Reads the computer name

      • TextInputHost.exe (PID: 8184)
      • identity_helper.exe (PID: 8632)
      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • Remote Access.exe (PID: 8696)
      • SimpleService.exe (PID: 9160)
      • SimpleService.exe (PID: 8212)
      • SimpleService.exe (PID: 2668)
      • Remote Access.exe (PID: 4292)
      • SimpleService.exe (PID: 9196)
      • SimpleService.exe (PID: 6440)
      • Remote Access.exe (PID: 6640)
      • S_eStatement.exe (PID: 4028)
      • S_eStatement.exe (PID: 6976)
      • SimpleService.exe (PID: 7804)
      • SimpleService.exe (PID: 8816)
      • SimpleService.exe (PID: 8208)
      • SimpleService.exe (PID: 936)
      • SimpleService.exe (PID: 8672)
      • Remote Access.exe (PID: 8584)
      • session_win.exe (PID: 8516)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 7216)

    • Reads Environment values

      • identity_helper.exe (PID: 8632)

    • Checks proxy server information

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • slui.exe (PID: 5736)

    • Creates files in the program directory

      • S_eStatement.exe (PID: 8496)
      • unpack200.exe (PID: 8720)
      • unpack200.exe (PID: 8740)
      • unpack200.exe (PID: 3304)
      • unpack200.exe (PID: 7424)
      • unpack200.exe (PID: 8744)
      • unpack200.exe (PID: 8824)
      • S_eStatement.exe (PID: 8804)
      • unpack200.exe (PID: 7428)
      • unpack200.exe (PID: 4476)
      • unpack200.exe (PID: 8920)
      • unpack200.exe (PID: 9040)
      • unpack200.exe (PID: 8884)
      • unpack200.exe (PID: 1412)
      • Remote AccessLauncher.exe (PID: 8912)
      • Remote Access.exe (PID: 8696)
      • unpack200.exe (PID: 8944)
      • unpack200.exe (PID: 8088)
      • unpack200.exe (PID: 8796)
      • unpack200.exe (PID: 7000)
      • unpack200.exe (PID: 5868)
      • unpack200.exe (PID: 4516)
      • Remote Access Service.exe (PID: 8816)
      • unpack200.exe (PID: 8840)
      • Remote Access.exe (PID: 4292)
      • unpack200.exe (PID: 6648)
      • unpack200.exe (PID: 1068)
      • unpack200.exe (PID: 5464)
      • unpack200.exe (PID: 8696)
      • unpack200.exe (PID: 5888)
      • S_eStatement.exe (PID: 4028)
      • StopSimpleGatewayService.exe (PID: 8244)
      • S_eStatement.exe (PID: 6976)
      • Remote Access.exe (PID: 6640)
      • Remote Access Service.exe (PID: 2228)
      • Remote Access.exe (PID: 8584)

    • Creates files or folders in the user directory

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • Remote Access.exe (PID: 8696)

    • SIMPLEHELP has been detected

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)
      • cacls.exe (PID: 1784)
      • Remote Access.exe (PID: 8696)
      • SimpleService.exe (PID: 9160)
      • SimpleService.exe (PID: 8212)
      • Remote Access.exe (PID: 4292)
      • cacls.exe (PID: 7452)
      • cacls.exe (PID: 8504)
      • SimpleService.exe (PID: 9196)
      • S_eStatement.exe (PID: 4028)
      • cacls.exe (PID: 8272)
      • SimpleService.exe (PID: 6440)
      • S_eStatement.exe (PID: 6976)
      • cacls.exe (PID: 8224)
      • SimpleService.exe (PID: 7804)
      • SimpleService.exe (PID: 8816)
      • SimpleService.exe (PID: 8208)
      • SimpleService.exe (PID: 8672)
      • Remote Access.exe (PID: 8584)
      • cacls.exe (PID: 6404)
      • cacls.exe (PID: 9052)

    • The sample compiled with english language support

      • S_eStatement.exe (PID: 8496)
      • S_eStatement.exe (PID: 8804)

    • Create files in a temporary directory

      • S_eStatement.exe (PID: 8496)
      • Remote AccessLauncher.exe (PID: 8912)
      • Remote Access.exe (PID: 8696)
      • S_eStatement.exe (PID: 8804)
      • S_eStatement.exe (PID: 4028)
      • S_eStatement.exe (PID: 6976)

    • Reads the machine GUID from the registry

      • Remote Access.exe (PID: 8696)
      • Remote Access.exe (PID: 4292)
      • S_eStatement.exe (PID: 4028)
      • S_eStatement.exe (PID: 8804)
      • S_eStatement.exe (PID: 6976)
      • Remote Access.exe (PID: 8584)

    • Reads security settings of Internet Explorer

      • netsh.exe (PID: 144)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 8840)
      • netsh.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
419
Monitored processes
266
Malicious processes
17
Suspicious processes
41

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs textinputhost.exe no specs THREAT msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs s_estatement.exe no specs THREAT s_estatement.exe unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs s_estatement.exe no specs unpack200.exe no specs THREAT s_estatement.exe windowslauncher.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs icacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs remote accesslauncher.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs remote access.exe cacls.exe no specs conhost.exe no specs unpack200.exe no specs cacls.exe no specs conhost.exe no specs unpack200.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs unpack200.exe no specs simpleservice.exe no specs simpleservice.exe no specs unpack200.exe no specs unpack200.exe no specs THREAT simpleservice.exe no specs THREAT remote access service.exe no specs unpack200.exe no specs unpack200.exe no specs remote access.exe unpack200.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs windowslauncher.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs simpleservice.exe no specs s_estatement.exe no specs s_estatement.exe slui.exe cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs THREAT stopsimplegatewayservice.exe no specs remote access.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs s_estatement.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs simpleservice.exe no specs s_estatement.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs simpleservice.exe no specs simpleservice.exe no specs simpleservice.exe no specs THREAT simpleservice.exe no specs THREAT remote access service.exe no specs THREAT remote access.exe simpleservice.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32netsh advfirewall firewall add rule "name=SH Remote Access Service Launcher" "description=Inbound rule for the launcher that can spawn the Remote Access Service" dir=in action=allow "program=C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00063527423-complete\bin\Remote AccessLauncher.exe"C:\Windows\System32\netsh.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
144netsh advfirewall firewall show rule name=allC:\Windows\System32\netsh.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
404netsh advfirewall firewall delete rule "name=SH Remote Access Service Updater"C:\Windows\System32\netsh.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
748\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
792"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exe" "--mouselocation" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exesession_win.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1143
Version:
5.2.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access-00075795303-complete\elev_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
936"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\programdata\jwrapper-remote access\jwappssharedconfig\restricted\simpleservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1068"C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00063527423-complete\bin\unpack200.exe" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1768037029-5-app\customer.jar.p2" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1768037029-5-app\customer.jar" C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00063527423-complete\bin\unpack200.exeS_eStatement.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.1920.12
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-windows64jre-00063527423-complete\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\programdata\jwrapper-remote access\jwrapper-windows64jre-00063527423-complete\bin\msvcr100.dll
Total events
27 182
Read events
26 708
Write events
394
Delete events
80

Modification events

(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7508
Operation:writeName:0
Value:
0B0E105A4B0A42D3BC0B4CA701D6127D597DC7230046A9A0C595ACC2A0EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511D43AD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
(PID) Process:(7508) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:delete keyName:(default)
Value:
Executable files
283
Suspicious files
200
Text files
453
Unknown types
1

Dropped files

PID
Process
Filename
Type
7508OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF101649.TMP
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7508OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:0334B09CCF9DB659CFBF520E14B9B143
SHA256:1BADBD4AF8EDD4CB02E1D09AED389F9745ECDF6170C143EC75A3995AAFD2B4DA
7508OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:CEF06BA2C68A0F8D364C54EEA5B6C654
SHA256:826A20D647EC40628355613181C68000A373EB1D37687E3A3122939F94146B38
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF101658.TMP
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF101668.TMP
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF101668.TMP
MD5:
SHA256:
7216msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF101668.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
108
TCP/UDP connections
91
DNS requests
65
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7508
OUTLOOK.EXE
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
US
binary
471 b
whitelisted
7236
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
446 b
whitelisted
7236
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0
US
text
768 b
whitelisted
7508
OUTLOOK.EXE
GET
200
52.123.129.14:443
https://ecs.office.com/config/v2/Office/outlook/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=outlook&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b420A4B5A-BCD3-4C0B-A701-D6127D597DC7%7d&LabMachine=false
US
text
128 Kb
unknown
7508
OUTLOOK.EXE
POST
200
52.109.28.47:443
https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
US
text
654 b
whitelisted
7508
OUTLOOK.EXE
GET
200
23.50.131.79:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
NL
text
128 Kb
whitelisted
7508
OUTLOOK.EXE
GET
200
52.111.243.12:443
https://messaging.lifecycle.office.com/getcustommessage16?app=6&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B420A4B5A-BCD3-4C0B-A701-D6127D597DC7%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%22%7D
US
text
542 b
unknown
7508
OUTLOOK.EXE
POST
200
172.187.61.142:443
https://nleditor.osi.office.net/NlEditor/CloudSuggest/V1
US
text
155 b
whitelisted
4036
svchost.exe
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
4036
svchost.exe
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6296
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3060
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7508
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7508
OUTLOOK.EXE
52.109.28.47:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7508
OUTLOOK.EXE
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7508
OUTLOOK.EXE
23.50.131.79:443
omex.cdn.office.net
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.251.208.14
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
roaming.officeapps.live.com
  • 52.109.28.47
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
omex.cdn.office.net
  • 23.50.131.79
  • 23.50.131.71
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
nleditor.osi.office.net
  • 172.187.61.142
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.130
  • 20.190.159.129
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.128
  • 40.126.31.67
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7236
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7236
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
8496
S_eStatement.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
8496
S_eStatement.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
8496
S_eStatement.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
8496
S_eStatement.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Message.eml