File name:

eStmt-2026-889745201.exe

Full analysis: https://app.any.run/tasks/17c6e877-26f8-486b-91f2-fcf7026649b8
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 20, 2026, 03:43:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
simplehelp
rmm-tool
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

6FEE24463E751E103E4CB1F64DC84B39

SHA1:

3B7A43FD7810B5A0B1B389E6404A8360F4AC7E1D

SHA256:

BCC661E44412C7628EC6F4624246013550693585B70A4EA2F8A18C4AC5EC8D39

SSDEEP:

196608:3Dfx6xGPu6W9cZqIbe9eaVyqOfmPJAs2zuBQDVL8+q:3jx6EPuhAqIC9eqOfDJ5L8+q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • eStmt-2026-889745201.exe (PID: 8164)
      • eStmt-2026-889745201.exe (PID: 2840)
      • unpack200.exe (PID: 6140)
      • unpack200.exe (PID: 5548)
      • unpack200.exe (PID: 6500)
      • unpack200.exe (PID: 7760)
      • unpack200.exe (PID: 3424)
      • unpack200.exe (PID: 1404)
      • unpack200.exe (PID: 7244)
      • unpack200.exe (PID: 1500)
      • windowslauncher.exe (PID: 7840)
      • unpack200.exe (PID: 1724)
      • unpack200.exe (PID: 7456)
      • unpack200.exe (PID: 7856)
      • Remote AccessLauncher.exe (PID: 6628)
      • Remote Access.exe (PID: 2988)
      • SimpleService.exe (PID: 7724)
      • SimpleService.exe (PID: 488)
      • SimpleService.exe (PID: 2648)
      • Remote Access Service.exe (PID: 2268)
      • Remote Access.exe (PID: 4276)
      • session_win.exe (PID: 6896)
      • session_win.exe (PID: 5548)
      • elev_win.exe (PID: 4316)
      • elev_win.exe (PID: 7964)
      • elev_win.exe (PID: 6936)
      • session_win.exe (PID: 8148)
      • elev_win.exe (PID: 1284)
      • session_win.exe (PID: 5864)
      • session_win.exe (PID: 5196)
      • elev_win.exe (PID: 5568)
      • elev_win.exe (PID: 6796)
      • session_win.exe (PID: 3136)
      • elev_win.exe (PID: 7568)
      • elev_win.exe (PID: 7588)
      • session_win.exe (PID: 5788)
      • elev_win.exe (PID: 5748)
      • session_win.exe (PID: 1152)
      • session_win.exe (PID: 6836)
      • elev_win.exe (PID: 4488)
      • session_win.exe (PID: 5632)
      • elev_win.exe (PID: 1728)
      • session_win.exe (PID: 7160)
      • session_win.exe (PID: 7224)
      • elev_win.exe (PID: 4712)
      • session_win.exe (PID: 4308)
      • session_win.exe (PID: 2300)
      • elev_win.exe (PID: 7488)
      • elev_win.exe (PID: 5888)
      • elev_win.exe (PID: 5284)
      • session_win.exe (PID: 6752)
      • elev_win.exe (PID: 5140)

    • SIMPLEHELP has been detected

      • eStmt-2026-889745201.exe (PID: 8164)
      • SimpleService.exe (PID: 2648)
      • Remote Access Service.exe (PID: 2268)
      • Remote Access.exe (PID: 4276)
      • session_win.exe (PID: 6896)
      • session_win.exe (PID: 5548)
      • session_win.exe (PID: 8148)
      • session_win.exe (PID: 5196)
      • session_win.exe (PID: 5864)
      • session_win.exe (PID: 416)
      • session_win.exe (PID: 6836)
      • session_win.exe (PID: 5788)
      • session_win.exe (PID: 3136)
      • session_win.exe (PID: 1152)
      • session_win.exe (PID: 5632)
      • session_win.exe (PID: 7160)
      • session_win.exe (PID: 7224)
      • session_win.exe (PID: 4308)
      • session_win.exe (PID: 2300)
      • session_win.exe (PID: 6752)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eStmt-2026-889745201.exe (PID: 8164)
      • Remote Access.exe (PID: 2988)
      • Remote Access.exe (PID: 4276)

    • Access to an unwanted program domain was detected

      • eStmt-2026-889745201.exe (PID: 8164)

    • The process drops C-runtime libraries

      • eStmt-2026-889745201.exe (PID: 8164)

    • Uses ICACLS.EXE to modify access control lists

      • eStmt-2026-889745201.exe (PID: 8164)
      • Remote AccessLauncher.exe (PID: 6628)
      • Remote Access.exe (PID: 2988)
      • Remote Access.exe (PID: 4276)

    • Executes as Windows Service

      • SimpleService.exe (PID: 2648)

    • Creates or modifies Windows services

      • Remote Access.exe (PID: 4276)

    • Suspicious use of NETSH.EXE

      • Remote Access.exe (PID: 4276)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Remote Access.exe (PID: 4276)

  • INFO

    • Checks supported languages

      • eStmt-2026-889745201.exe (PID: 8164)
      • unpack200.exe (PID: 6140)
      • unpack200.exe (PID: 6500)
      • unpack200.exe (PID: 5548)
      • unpack200.exe (PID: 7760)
      • unpack200.exe (PID: 3424)
      • unpack200.exe (PID: 1404)
      • unpack200.exe (PID: 7244)
      • unpack200.exe (PID: 4480)
      • windowslauncher.exe (PID: 7840)
      • unpack200.exe (PID: 1724)
      • unpack200.exe (PID: 7856)
      • unpack200.exe (PID: 1500)
      • unpack200.exe (PID: 7456)
      • Remote Access.exe (PID: 2988)
      • SimpleService.exe (PID: 7724)
      • Remote AccessLauncher.exe (PID: 6628)
      • SimpleService.exe (PID: 488)
      • Remote Access Service.exe (PID: 2268)
      • SimpleService.exe (PID: 2648)
      • Remote Access.exe (PID: 4276)
      • session_win.exe (PID: 6896)
      • elev_win.exe (PID: 7964)
      • session_win.exe (PID: 5548)
      • elev_win.exe (PID: 6936)
      • elev_win.exe (PID: 4316)
      • session_win.exe (PID: 8148)
      • session_win.exe (PID: 5864)
      • elev_win.exe (PID: 1284)
      • session_win.exe (PID: 5196)
      • session_win.exe (PID: 416)
      • elev_win.exe (PID: 5568)
      • elev_win.exe (PID: 6796)
      • session_win.exe (PID: 3136)
      • session_win.exe (PID: 6836)
      • elev_win.exe (PID: 7588)
      • session_win.exe (PID: 5788)
      • elev_win.exe (PID: 5748)
      • elev_win.exe (PID: 7568)
      • elev_win.exe (PID: 4488)
      • session_win.exe (PID: 7160)
      • elev_win.exe (PID: 1728)
      • session_win.exe (PID: 1152)
      • session_win.exe (PID: 5632)
      • elev_win.exe (PID: 4712)
      • session_win.exe (PID: 4308)
      • elev_win.exe (PID: 7488)
      • elev_win.exe (PID: 5888)
      • session_win.exe (PID: 7224)
      • elev_win.exe (PID: 5284)
      • session_win.exe (PID: 6752)
      • session_win.exe (PID: 2300)
      • elev_win.exe (PID: 5140)

    • Reads the computer name

      • eStmt-2026-889745201.exe (PID: 8164)
      • Remote Access.exe (PID: 2988)
      • Remote Access.exe (PID: 4276)
      • SimpleService.exe (PID: 7724)
      • SimpleService.exe (PID: 488)
      • session_win.exe (PID: 6896)
      • session_win.exe (PID: 5548)
      • session_win.exe (PID: 8148)
      • session_win.exe (PID: 5864)
      • session_win.exe (PID: 5196)
      • session_win.exe (PID: 416)
      • session_win.exe (PID: 3136)
      • session_win.exe (PID: 5788)
      • SimpleService.exe (PID: 2648)
      • session_win.exe (PID: 6836)
      • session_win.exe (PID: 1152)
      • session_win.exe (PID: 7160)
      • session_win.exe (PID: 5632)
      • session_win.exe (PID: 4308)
      • session_win.exe (PID: 7224)
      • session_win.exe (PID: 6752)
      • session_win.exe (PID: 2300)

    • SIMPLEHELP has been detected

      • eStmt-2026-889745201.exe (PID: 8164)
      • eStmt-2026-889745201.exe (PID: 8164)
      • cacls.exe (PID: 5008)
      • Remote Access.exe (PID: 2988)
      • Remote Access.exe (PID: 2988)
      • SimpleService.exe (PID: 7724)
      • SimpleService.exe (PID: 2648)
      • Remote Access Service.exe (PID: 2268)
      • SimpleService.exe (PID: 488)
      • cacls.exe (PID: 7512)
      • Remote Access.exe (PID: 4276)
      • Remote Access.exe (PID: 4276)
      • session_win.exe (PID: 6896)
      • session_win.exe (PID: 5548)
      • session_win.exe (PID: 8148)
      • session_win.exe (PID: 5196)
      • session_win.exe (PID: 416)
      • session_win.exe (PID: 5864)
      • session_win.exe (PID: 6836)
      • session_win.exe (PID: 5788)
      • session_win.exe (PID: 3136)
      • session_win.exe (PID: 5632)
      • session_win.exe (PID: 1152)
      • session_win.exe (PID: 7224)
      • session_win.exe (PID: 4308)
      • session_win.exe (PID: 7160)
      • session_win.exe (PID: 2300)
      • session_win.exe (PID: 6752)

    • Creates files or folders in the user directory

      • eStmt-2026-889745201.exe (PID: 8164)
      • Remote Access.exe (PID: 2988)

    • Reads security settings of Internet Explorer

      • eStmt-2026-889745201.exe (PID: 8164)
      • netsh.exe (PID: 4872)
      • netsh.exe (PID: 2316)

    • The sample compiled with english language support

      • eStmt-2026-889745201.exe (PID: 8164)

    • Create files in a temporary directory

      • eStmt-2026-889745201.exe (PID: 8164)
      • Remote Access.exe (PID: 2988)
      • Remote AccessLauncher.exe (PID: 6628)

    • Reads the machine GUID from the registry

      • Remote Access.exe (PID: 2988)
      • Remote Access.exe (PID: 4276)

    • There is functionality for taking screenshot (YARA)

      • Remote Access.exe (PID: 4276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:03:18 14:39:36+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 268800
InitializedDataSize: 143872
UninitializedDataSize: -
EntryPoint: 0x1cf10
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.2.11.0
ProductVersionNumber: 10.10.10.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 5.2.11.0
ProductVersion: 5.2.11.0
OriginalFileName:
InternalName:
FileDescription: SimpleHelp Remote Access Client
CompanyName: SimpleHelp Ltd
LegalCopyright: Copyright (c) 2020
ProductName: Remote Access
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
259
Monitored processes
125
Malicious processes
23
Suspicious processes
30

Behavior graph

Click at the process to see the details
start THREAT estmt-2026-889745201.exe svchost.exe unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs windowslauncher.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs icacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs remote accesslauncher.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs remote access.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs simpleservice.exe no specs simpleservice.exe no specs THREAT simpleservice.exe no specs THREAT remote access service.exe no specs THREAT remote access.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs estmt-2026-889745201.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\session_win.exe" --slWaitForCompletion "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exe" --mouselocationC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\session_win.exe
Remote Access.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1697
Version:
5.2.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access-00075795303-complete\session_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
488"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe" -install "C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\simplegateway.service"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exeRemote Access.exe
User:
admin
Integrity Level:
HIGH
Exit code:
6360688
Modules
Images
c:\programdata\jwrapper-remote access\jwappssharedconfig\restricted\simpleservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
664cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00063527423-complete\unrestricted" /e /g "Users":FC:\Windows\System32\cacls.exeeStmt-2026-889745201.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1152"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\session_win.exe" --slWaitForCompletion "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exe" --mouselocationC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\session_win.exe
Remote Access.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1697
Version:
5.2.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access-00075795303-complete\session_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1268cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\unrestricted" /e /g "Users":FC:\Windows\System32\cacls.exeeStmt-2026-889745201.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
1284\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1284"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exe" "--mouselocation" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\elev_win.exesession_win.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1697
Version:
5.2.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access-00075795303-complete\elev_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1404"C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248637-4-app\bin\unpack200.exe" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248637-4-app\lib\ext\sunpkcs11.jar.p2" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248637-4-app\lib\ext\sunpkcs11.jar" C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248637-4-app\bin\unpack200.exeeStmt-2026-889745201.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.1920.12
Modules
Images
c:\programdata\jwrapper-remote access\jwrappertemp-1779248637-4-app\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\programdata\jwrapper-remote access\jwrappertemp-1779248637-4-app\bin\msvcr100.dll
1404cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\unrestricted\jwLastRun" /e /g "Users":FC:\Windows\System32\cacls.exeeStmt-2026-889745201.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
20 171
Read events
20 107
Write events
48
Delete events
16

Modification events

(PID) Process:(8164) eStmt-2026-889745201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8164) eStmt-2026-889745201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8164) eStmt-2026-889745201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:workingdir
Value:
C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:cmdline
Value:
"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe"
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:auto_restart
Value:
no
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:run_once
Value:
no
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:do_cad
Value:
no
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:stopcmdline
Value:
"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\StopSimpleGatewayService.exe"
(PID) Process:(488) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:stopworkingdir
Value:
C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService
Executable files
143
Suspicious files
88
Text files
85
Unknown types
2

Dropped files

PID
Process
Filename
Type
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\jwBuildVersiontext
MD5:DAA3C36025E2F86BD0A8D8BF3BE8353B
SHA256:6AFD7786F03601285735B5053A5131887128FD9A214ECF1909290CCF49F01C07
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\jwrapperlib\jwstandalonelaunch.jarcompressed
MD5:404F278CBAAF0187271295C80623556F
SHA256:901919E3E42B44565A2F57A077BA65E7308D9651223B97B4966360F18F63246A
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\nativesplash.pngimage
MD5:A3BE1246247CFC9A93352D288E81F358
SHA256:2F7D3BC8FFBE9B3152EC9C332363247A4E89591FC1349BC0EB2E3A3D93055043
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\jwutils_win32.dllexecutable
MD5:9F266D3D16AA06F96BD4BF055C025AE6
SHA256:4D56D75B9E20D0AD8118E2C96F8304034BFEFF9F1DCECA6F0DD09BB7FFCC9BE3
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\JWrapper-Remote Access-splash.pngimage
MD5:A3BE1246247CFC9A93352D288E81F358
SHA256:2F7D3BC8FFBE9B3152EC9C332363247A4E89591FC1349BC0EB2E3A3D93055043
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\jwrapperlib\jwstandalone.jarcompressed
MD5:973685997DFB3B364C571E87203470CC
SHA256:DCF29BB839989AF3F3FD43E7AFA5900DC26B01D5D6DD27DAB3853AA16CA2308C
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\JWrapper-JWrapper-version.txttext
MD5:9C08295BFCE420684BB4ADF6619B3066
SHA256:A9F4EBB48449D128DC92BAE80B5CFF0014CAEC60E566F3F8CE0C368BB71FADFE
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\SimpleService.exeexecutable
MD5:FC84549947A1EDE86D95298414282A7C
SHA256:A8E83DDF6590A0B9FD1069BDB9655D5A40CC4432207F402F78DBE84712AC821C
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\JWrapperLaunchbinary
MD5:D622DECBD7498058C4F7664F088C0543
SHA256:7186271120BDC76A60AB6AAEE280E9EF1ED6C14FA3515126555AFEC8073DFE9E
8164eStmt-2026-889745201.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1779248636-3-app\jwAuthorPublicKeytext
MD5:1128DCB368DF4E55C20A4657D6B9B6A5
SHA256:B72D40A45A55DF2C60142D734630E5BE9464B52A09CF71A2951BD4553F785A12
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
50
DNS requests
22
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
680
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
680
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
7484
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
7224
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8164
eStmt-2026-889745201.exe
GET
200
38.146.27.60:80
http://fat7e077fat7e07.ddns.net/access/JWrapper-Windows64JRE-version.txt?time=1132176207
US
text
11 b
unknown
8164
eStmt-2026-889745201.exe
GET
200
38.146.27.60:80
http://fat7e077fat7e07.ddns.net/access/JWrapper-Windows64JRE-version.txt?time=1132176207
US
text
11 b
unknown
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
48.209.138.189:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
92.123.104.34:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
680
svchost.exe
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
680
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
680
svchost.exe
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 48.209.138.189
  • 48.209.6.48
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 92.123.104.34
  • 92.123.104.33
  • 92.123.104.32
  • 92.123.104.38
  • 2.16.241.218
  • 2.16.241.201
whitelisted
google.com
  • 142.251.110.102
  • 142.251.110.100
  • 142.251.110.139
  • 142.251.110.113
  • 142.251.110.138
  • 142.251.110.101
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
  • 2.23.246.101
whitelisted
fat7e077fat7e07.ddns.net
  • 38.146.27.60
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.1
  • 40.126.31.129
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.128
  • 40.126.31.73
  • 20.190.159.71
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
8164
eStmt-2026-889745201.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious User-Agent (JWrapperDownloader)
8164
eStmt-2026-889745201.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
8164
eStmt-2026-889745201.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
8164
eStmt-2026-889745201.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP SimpleHelp Remote Access Software Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eStmt-2026-889745201.exe