Malware analysis GPAgent (1).exe Malicious activity | ANY.RUN

Add for printing

File name:	GPAgent (1).exe
Full analysis:	https://app.any.run/tasks/985561dd-5435-4297-b4d9-b0b862f2ec2d
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	November 02, 2025, 21:08:44
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	simplehelp rmm-tool adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:	720706E840D6AF3CC2914DAF061E6CB4
SHA1:	90D17DE958FAC9A6153331500C6503A4DBF942DE
SHA256:	8D296D44CFCA3BCBD77B39AF8DAEB2570BCA0E929313447594D8CEC4F3B12D26
SSDEEP:	98304:5XkiV6sXfB/vSHzZW20sT/f1yijnGerJYg7rbNm+DtNFsaAdIydAK1epfx/hwQK9:DlZzoO0fNwdG6T+FWZoPt+jIAqJPHWl/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - GPAgent (1).exe (PID: 7520)
  - unpack200.exe (PID: 7928)
  - unpack200.exe (PID: 7948)
  - unpack200.exe (PID: 7988)
  - unpack200.exe (PID: 8028)
  - unpack200.exe (PID: 8048)
  - windowslauncher.exe (PID: 8072)
  - unpack200.exe (PID: 7968)
  - unpack200.exe (PID: 8008)
  - Remote AccessLauncher.exe (PID: 7296)
  - unpack200.exe (PID: 8180)
  - unpack200.exe (PID: 8104)
  - Remote Access.exe (PID: 7228)
- SIMPLEHELP has been detected
  - GPAgent (1).exe (PID: 7684)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - GPAgent (1).exe (PID: 7684)
- Process drops legitimate windows executable
  - GPAgent (1).exe (PID: 7684)
- The process drops C-runtime libraries
  - GPAgent (1).exe (PID: 7684)
- Executable content was dropped or overwritten
  - GPAgent (1).exe (PID: 7684)
- Access to an unwanted program domain was detected
  - GPAgent (1).exe (PID: 7684)
- Connects to unusual port
  - GPAgent (1).exe (PID: 7684)
  - Remote Access.exe (PID: 7228)
- Uses ICACLS.EXE to modify access control lists
  - GPAgent (1).exe (PID: 7684)
  - Remote Access.exe (PID: 7228)
  - Remote AccessLauncher.exe (PID: 7296)
- There is functionality for taking screenshot (YARA)
  - Remote Access.exe (PID: 7228)
INFO
- Checks proxy server information
  - GPAgent (1).exe (PID: 7684)
- Checks supported languages
  - GPAgent (1).exe (PID: 7684)
  - unpack200.exe (PID: 7928)
  - unpack200.exe (PID: 7948)
  - unpack200.exe (PID: 7968)
  - unpack200.exe (PID: 7988)
  - unpack200.exe (PID: 8028)
  - unpack200.exe (PID: 8048)
  - unpack200.exe (PID: 8008)
  - unpack200.exe (PID: 8180)
  - Remote AccessLauncher.exe (PID: 7296)
  - windowslauncher.exe (PID: 8072)
  - unpack200.exe (PID: 8104)
  - Remote Access.exe (PID: 7228)
- SIMPLEHELP has been detected
  - GPAgent (1).exe (PID: 7684)
  - Remote Access.exe (PID: 7228)
- Reads the computer name
  - GPAgent (1).exe (PID: 7684)
  - Remote Access.exe (PID: 7228)
- Creates files in the program directory
  - GPAgent (1).exe (PID: 7684)
  - unpack200.exe (PID: 7928)
  - unpack200.exe (PID: 7948)
  - unpack200.exe (PID: 7968)
  - unpack200.exe (PID: 7988)
  - unpack200.exe (PID: 8048)
  - unpack200.exe (PID: 8008)
  - unpack200.exe (PID: 8028)
  - unpack200.exe (PID: 8180)
  - Remote AccessLauncher.exe (PID: 7296)
  - unpack200.exe (PID: 8104)
  - Remote Access.exe (PID: 7228)
- The sample compiled with english language support
  - GPAgent (1).exe (PID: 7684)
- Creates files or folders in the user directory
  - GPAgent (1).exe (PID: 7684)
- Create files in a temporary directory
  - GPAgent (1).exe (PID: 7684)
  - Remote AccessLauncher.exe (PID: 7296)
  - Remote Access.exe (PID: 7228)
- Reads the time zone
  - GPAgent (1).exe (PID: 7684)
  - Remote AccessLauncher.exe (PID: 7296)
  - Remote Access.exe (PID: 7228)
- Reads the machine GUID from the registry
  - GPAgent (1).exe (PID: 7684)
  - Remote Access.exe (PID: 7228)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (35.8)
.exe	\|	Win64 Executable (generic) (31.7)
.scr	\|	Windows screen saver (15)
.dll	\|	Win32 Dynamic Link Library (generic) (7.5)
.exe	\|	Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2017:06:29 13:54:35+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	8
CodeSize:	268288
InitializedDataSize:	143360
UninitializedDataSize:	-
EntryPoint:	0x1cd40
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	5.0.0.0
ProductVersionNumber:	5.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	5.0.0.0
ProductVersion:	5.0.0.0
OriginalFileName:	Remote Access-windows64-offline.exe_icon.exe
InternalName:	Remote Access-windows64-offline.exe_icon.exe
FileDescription:	SimpleHelp Remote Access Client
CompanyName:	SimpleHelp Ltd
LegalCopyright:	Copyright (c) 2009
ProductName:	Remote Access

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

206

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

744

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1172

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1264

cacls "C:\ProgramData\JWrapper-Remote Access\logs" /e /g "Users":F

C:\Windows\System32\cacls.exe

—

GPAgent (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1284

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1416

cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052950164-complete\jwLastRun" /e /g "Users":F

C:\Windows\System32\cacls.exe

—

GPAgent (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1920

cacls "C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig" /e /g "Users":F

C:\Windows\System32\cacls.exe

—

GPAgent (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2376

cacls "C:\ProgramData\JWrapper-Remote Access\JWApps\Remote_Access_ConfigureICO.ico" /e /g "Users":F

C:\Windows\System32\cacls.exe

—

GPAgent (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ucrtbase.dll

2800

cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00062339354-complete" /e /g "Users":F

C:\Windows\System32\cacls.exe

—

GPAgent (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3032

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3032

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

2 464

Read events

2 461

Write events

Delete events

Modification events


(PID) Process:	(7684) GPAgent (1).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7684) GPAgent (1).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7684) GPAgent (1).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

474

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\nativesplash.png		image
		MD5:A3BE1246247CFC9A93352D288E81F358	SHA256:2F7D3BC8FFBE9B3152EC9C332363247A4E89591FC1349BC0EB2E3A3D93055043
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\SimpleService.exe		executable
		MD5:CD6038A96F5AAB4C23EEE575DBAB8A7E	SHA256:7CA90D322E770083C880320182CE6DD3C9DA6DBFF93CCC3459F06316460AB95E
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\libjwutils_linux32arm.so		binary
		MD5:EE854028C8C4A3690EEB89CE6D7240D4	SHA256:7FE175492F67D950BE416E4AD28D94ED4B9E028C6A42D4DED8450ACEED8D6A89
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\libjwutils_macos32.jnilib		binary
		MD5:46761940FE82242D0EE5D0F3719CCD7B	SHA256:D9A35402D0505763AAD1F83621A726771D0E3144F6925987F2C5507C72FE5332
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\JWrapper-Remote Access-ICNS.icns		binary
		MD5:38D961A37088B5B60431EF4B81BC8902	SHA256:60BCAAEF7D51F73A7461FB83D27EFF75353EE0273D0D4A9CD2DFE92D2D50D599
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\libjwutils_linux32.so		binary
		MD5:9A5D5F9DC54F9FB21E89619688B9675E	SHA256:45F9BEC62E6E74F0E82698F5A4253C94456BE31B1DAA802D64CC09EC8ADE35B7
7684	GPAgent (1).exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\JWrapper-Windows64JRE-version[1].txt		text
		MD5:DB48F4BA29F039BC48B981081D814D7B	SHA256:93BB540C44DDA88DEC0445CCCF52FE14F62601BE43FD67EF0352D97062CB9138
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\libjwutils_macos64.jnilib		binary
		MD5:F777972D33DA464B94FBF80762DB08D6	SHA256:83E0FFF9A88D2F170CF689F0008EA3654044690E108CCAEDE8FD7F5DAE0B9212
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\JWrapperLaunch		binary
		MD5:D622DECBD7498058C4F7664F088C0543	SHA256:7186271120BDC76A60AB6AAEE280E9EF1ED6C14FA3515126555AFEC8073DFE9E
7684	GPAgent (1).exe	C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1762117731-4-app\jwAuthorPublicKey		text
		MD5:1128DCB368DF4E55C20A4657D6B9B6A5	SHA256:B72D40A45A55DF2C60142D734630E5BE9464B52A09CF71A2951BD4553F785A12

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-Windows64JRE-version.txt?time=1181140157	unknown	—	—	unknown
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-Windows64JRE-version.txt?time=1181140157	unknown	—	—	unknown
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-Windows64JRE-version.txt?time=1181140157	unknown	—	—	unknown
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-Remote%20Access-version.txt	unknown	—	—	unknown
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-Remote%20Access-version.txt	unknown	—	—	unknown
7228	Remote Access.exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/translations_user/en.txt	unknown	—	—	unknown
7684	GPAgent (1).exe	GET	200	173.219.6.55:444	http://vpn.daconsult.com:444/access/JWrapper-JWrapper-version.txt	unknown	—	—	unknown
6172	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5596	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4140	SIHClient.exe	GET	200	72.246.29.11:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
412	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5596	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6172	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.11.206.97:443	www.bing.com	Akamai International B.V.	DE	whitelisted
7684	GPAgent (1).exe	173.219.6.55:444	vpn.daconsult.com	SUDDENLINK-COMMUNICATIONS	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
7228	Remote Access.exe	173.219.6.55:444	vpn.daconsult.com	SUDDENLINK-COMMUNICATIONS	US	unknown
6172	svchost.exe	40.126.31.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5596	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
login.live.com	40.126.31.73 40.126.31.0 20.190.159.23 40.126.31.3 40.126.31.2 20.190.159.75 20.190.159.68 20.190.159.130	whitelisted
www.bing.com	23.11.206.97 23.11.206.99 23.3.89.115 23.11.206.98 23.3.89.105 23.3.89.106 23.3.89.112 23.3.89.120 23.3.89.121	whitelisted
google.com	142.250.184.206	whitelisted
vpn.daconsult.com	173.219.6.55	unknown
ocsp.digicert.com	2.17.190.73	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	74.179.77.204	whitelisted
www.microsoft.com	72.246.29.11	whitelisted

Threats

PID	Process	Class	Message
7684	GPAgent (1).exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
7684	GPAgent (1).exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
7684	GPAgent (1).exe	Possibly Unwanted Program Detected	ET ADWARE_PUP SimpleHelp Remote Access Software Activity
7684	GPAgent (1).exe	Misc activity	ET INFO Simplehelp Remote Administration Suite HTTP Server Value in Response
7684	GPAgent (1).exe	Possibly Unwanted Program Detected	ET ADWARE_PUP SimpleHelp Remote Access Software Activity
7684	GPAgent (1).exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
7684	GPAgent (1).exe	Possibly Unwanted Program Detected	ET ADWARE_PUP SimpleHelp Remote Access Software Activity

Add for printing

No debug info

General Info

GPAgent (1).exe

720706E840D6AF3CC2914DAF061E6CB4

90D17DE958FAC9A6153331500C6503A4DBF942DE

8D296D44CFCA3BCBD77B39AF8DAEB2570BCA0E929313447594D8CEC4F3B12D26

98304:5XkiV6sXfB/vSHzZW20sT/f1yijnGerJYg7rbNm+DtNFsaAdIydAK1epfx/hwQK9:DlZzoO0fNwdG6T+FWZoPt+jIAqJPHWl/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SIMPLEHELP has been detected

SUSPICIOUS

Reads security settings of Internet Explorer

Process drops legitimate windows executable

The process drops C-runtime libraries

Executable content was dropped or overwritten

Access to an unwanted program domain was detected

Connects to unusual port

Uses ICACLS.EXE to modify access control lists

There is functionality for taking screenshot (YARA)

INFO

Checks proxy server information

Checks supported languages

SIMPLEHELP has been detected

Reads the computer name

Creates files in the program directory

The sample compiled with english language support

Creates files or folders in the user directory

Create files in a temporary directory

Reads the time zone

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings