File name:

e-invite.exe

Full analysis: https://app.any.run/tasks/7a958457-9066-4694-8673-f4ef9cacec3f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 31, 2025, 21:11:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
simplehelp
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

3407326B4D5C7A89AD0497859BBBB965

SHA1:

4F2F6A6AC4B6AC132166E492107866EA37278370

SHA256:

AD91D3F34AC93BF89CC0F5D66B3FF788FF53DCAA44FFDE99428CF994560449C8

SSDEEP:

393216:aE7/QpVyOXwRVssVFc4+xvjYBbBYC0QrjJWOaPaP7:FTQpV3X6/cfZYBmuCw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SIMPLEHELP has been detected

      • e-invite.exe (PID: 1728)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • e-invite.exe (PID: 1728)

    • Access to an unwanted program domain was detected

      • e-invite.exe (PID: 1728)

    • Executes application which crashes

      • e-invite.exe (PID: 1728)

    • The process drops C-runtime libraries

      • e-invite.exe (PID: 1728)

    • Executable content was dropped or overwritten

      • e-invite.exe (PID: 1728)

    • Process drops legitimate windows executable

      • e-invite.exe (PID: 1728)

  • INFO

    • Reads the computer name

      • e-invite.exe (PID: 1728)

    • Checks supported languages

      • e-invite.exe (PID: 1728)
      • windowslauncher.exe (PID: 4232)

    • SIMPLEHELP has been detected

      • e-invite.exe (PID: 1728)

    • Checks proxy server information

      • e-invite.exe (PID: 1728)
      • WerFault.exe (PID: 3740)
      • slui.exe (PID: 3092)

    • Reads the software policy settings

      • slui.exe (PID: 3092)
      • WerFault.exe (PID: 3740)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3740)
      • e-invite.exe (PID: 1728)

    • The sample compiled with english language support

      • e-invite.exe (PID: 1728)

    • Creates files in the program directory

      • e-invite.exe (PID: 1728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:08 11:22:03+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 272896
InitializedDataSize: 145408
UninitializedDataSize: -
EntryPoint: 0x1dfe0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.5.11.0
ProductVersionNumber: 10.10.10.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 5.5.11.0
ProductVersion: 5.5.11.0
OriginalFileName: Remote Access-windows64-offline.exe_ico
InternalName:
FileDescription: SimpleHelp Remote Access Client
CompanyName: SimpleHelp Ltd
LegalCopyright: Copyright (c) 2025
ProductName: Remote Access
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT e-invite.exe windowslauncher.exe no specs werfault.exe slui.exe e-invite.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1728"C:\Users\admin\Desktop\e-invite.exe" C:\Users\admin\Desktop\e-invite.exe
explorer.exe
User:
admin
Company:
SimpleHelp Ltd
Integrity Level:
HIGH
Description:
SimpleHelp Remote Access Client
Exit code:
3221225477
Version:
5.5.11.0
Modules
Images
c:\users\admin\desktop\e-invite.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\wininet.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
2232"C:\Users\admin\Desktop\e-invite.exe" C:\Users\admin\Desktop\e-invite.exeexplorer.exe
User:
admin
Company:
SimpleHelp Ltd
Integrity Level:
MEDIUM
Description:
SimpleHelp Remote Access Client
Exit code:
3221226540
Version:
5.5.11.0
Modules
Images
c:\users\admin\desktop\e-invite.exe
c:\windows\system32\ntdll.dll
3092C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3740C:\WINDOWS\system32\WerFault.exe -u -p 1728 -s 968C:\Windows\System32\WerFault.exe
e-invite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
4232"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-3-app\bin\windowslauncher.exe" "-Xshare:dump" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-3-app\bin\windowslauncher.exee-invite.exe
User:
admin
Company:
SimpleHelp Ltd
Integrity Level:
HIGH
Description:
SimpleHelp Remote Access Client
Exit code:
1
Version:
5.5.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access bundle-00115411648\jwrappertemp-1753996291-3-app\bin\windowslauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
Total events
10 096
Read events
10 087
Write events
6
Delete events
3

Modification events

(PID) Process:(1728) e-invite.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1728) e-invite.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1728) e-invite.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3740) WerFault.exeKey:\REGISTRY\A\{2b078d0e-c64f-4f89-1b38-1c328b950340}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(3740) WerFault.exeKey:\REGISTRY\A\{2b078d0e-c64f-4f89-1b38-1c328b950340}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
84
Suspicious files
15
Text files
107
Unknown types
11

Dropped files

PID
Process
Filename
Type
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\jwBuildVersiontext
MD5:111CBC594E436860311A3A9487128BBD
SHA256:A932BADF2D0F3655F7F3A63122A573768C45DA0352EF7CE9A97838EFBE800BA3
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\jwrapperlib\jwstandalonelaunch.jarcompressed
MD5:85E9306E88FA2D1801292EF022B81525
SHA256:F82F60CE140A67D431BF7FC92D6EAF521E22AEAE1390A3C051F27D074327E6CF
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\jwagent.jarcompressed
MD5:7B43AA60C16F9FBBEF9E3514A0FED179
SHA256:BD72FE94813D92B02AC3E313D1FDC9C43B44948D3543FBFE1C899812B6AD094A
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\JWrapper-Remote Access-splash.pngimage
MD5:A695003E634F94B6181F79D774B8DF56
SHA256:6B1460B3785B9C53F520B4125117CB014DCB93BD038B075DC0801EA0D7C440BD
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\jwutils_win64.dllexecutable
MD5:F7D634257C5FE0137DB959F2F09EF3FE
SHA256:7C35C375FF5A5756CB4907D8FD43A040CCE19981E83269BEFCCB254BE06F7CB7
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\logs\Wrapper-2025-07-31-21-11-31-160.logtext
MD5:98C07A6B68CCE443F49CB47D09CEF90D
SHA256:6186D88F0F28CCDD9EAA3C5E122951E425217F384CB778151DCCA22269397659
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\nativesplash.pngimage
MD5:A695003E634F94B6181F79D774B8DF56
SHA256:6B1460B3785B9C53F520B4125117CB014DCB93BD038B075DC0801EA0D7C440BD
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\JWrapper-Remote Access-ICNS.icnsimage
MD5:1566015B1BB21F6A6CEF4D6C9FE16020
SHA256:AD9C24A9F15050418B049AC7B1394578D37723237CB3C119AF0ABAEDCB220A83
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\libjwutils_linux64.soo
MD5:290F13A502FEFE2F8D134428FC0DD942
SHA256:090EBA06A09957EED9966D2014DED4519AAC3FFF80C3EAE13923C791631AD412
1728e-invite.exeC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00115411648\JWrapperTemp-1753996291-2-app\libjwutils_linux64arm.soo
MD5:2213A431BA77834AE3E5B9A0019AD176
SHA256:0621BB09D90A6EAB8B0C6CAE061616395E721C3CFC986BF2FE89A68CE87F1856
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
51
DNS requests
21
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1728
e-invite.exe
GET
200
162.19.140.13:80
http://gettoupruh.info/access/JWrapper-Windows64JRE-version.txt?time=1649634595&platform=windows-intel-64&osid=w10-0-19045
unknown
unknown
1728
e-invite.exe
GET
200
162.19.140.13:80
http://gettoupruh.info/access/JWrapper-Windows64JRE-version.txt?time=1649634595&platform=windows-intel-64&osid=w10-0-19045
unknown
unknown
POST
400
40.126.31.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.180
  • 23.48.23.176
  • 23.48.23.171
  • 23.48.23.175
  • 23.48.23.179
  • 23.48.23.170
  • 23.48.23.168
  • 23.48.23.146
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.159
  • 23.48.23.162
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
gettoupruh.info
  • 162.19.140.13
unknown
login.live.com
  • 20.190.160.3
  • 20.190.160.66
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
watson.events.data.microsoft.com
  • 135.234.160.245
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
1728
e-invite.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
1728
e-invite.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
1728
e-invite.exe
Misc activity
ET INFO Simplehelp Remote Administration Suite HTTP Server Value in Response
1728
e-invite.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
1728
e-invite.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
1728
e-invite.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
1728
e-invite.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e-invite.exe