File name:

Invoice-PRMREGVK-0003.exe

Full analysis: https://app.any.run/tasks/3dee90f1-d96d-45d7-9614-fa094d299ad1
Verdict: Malicious activity
Analysis date: February 14, 2026, 12:28:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
simplehelp
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

D77BF25B85A45F68D7601A9B7D74C9D9

SHA1:

8654D930B771F744C37D5AFB2DF51F4AE95801ED

SHA256:

FC99B9483117E98D618FA709C9BFF4944F52C445C452EE8FEA3E92CA3E720E60

SSDEEP:

196608:3Dfx6xGPu6W9cZqIbe9eaVyqOfmPJAs2zuBQDVL8+j:3jx6EPuhAqIC9eqOfDJ5L8+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • Invoice-PRMREGVK-0003.exe (PID: 6340)
      • unpack200.exe (PID: 5888)
      • unpack200.exe (PID: 9020)
      • unpack200.exe (PID: 1116)
      • unpack200.exe (PID: 9076)
      • unpack200.exe (PID: 7552)
      • unpack200.exe (PID: 7448)
      • unpack200.exe (PID: 6940)
      • unpack200.exe (PID: 7780)
      • unpack200.exe (PID: 3588)
      • unpack200.exe (PID: 6704)
      • unpack200.exe (PID: 5896)
      • Remote AccessLauncher.exe (PID: 7904)
      • unpack200.exe (PID: 6788)
      • windowslauncher.exe (PID: 8472)
      • SimpleService.exe (PID: 8932)
      • SimpleService.exe (PID: 1600)
      • Remote Access.exe (PID: 8392)
      • Remote Access Service.exe (PID: 2228)
      • SimpleService.exe (PID: 8556)
      • Remote Access.exe (PID: 2480)
      • elev_win.exe (PID: 8224)
      • session_win.exe (PID: 7920)

    • SIMPLEHELP has been detected

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • Remote Access Service.exe (PID: 2228)
      • SimpleService.exe (PID: 8556)
      • session_win.exe (PID: 7920)
      • Remote Access.exe (PID: 2480)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Invoice-PRMREGVK-0003.exe (PID: 6912)

    • The process drops C-runtime libraries

      • Invoice-PRMREGVK-0003.exe (PID: 6912)

    • Executable content was dropped or overwritten

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • Remote Access.exe (PID: 8392)
      • Remote Access.exe (PID: 2480)

    • Uses ICACLS.EXE to modify access control lists

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • Remote Access.exe (PID: 8392)
      • Remote AccessLauncher.exe (PID: 7904)
      • Remote Access.exe (PID: 2480)

    • Executes as Windows Service

      • SimpleService.exe (PID: 8556)

    • Creates or modifies Windows services

      • Remote Access.exe (PID: 2480)

    • Suspicious use of NETSH.EXE

      • Remote Access.exe (PID: 2480)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Remote Access.exe (PID: 2480)

  • INFO

    • Checks proxy server information

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • slui.exe (PID: 1136)

    • SIMPLEHELP has been detected

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • cacls.exe (PID: 8736)
      • SimpleService.exe (PID: 8932)
      • Remote Access.exe (PID: 8392)
      • SimpleService.exe (PID: 1600)
      • Remote Access.exe (PID: 2480)
      • cacls.exe (PID: 4312)

    • Checks supported languages

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • unpack200.exe (PID: 5888)
      • unpack200.exe (PID: 9020)
      • unpack200.exe (PID: 9076)
      • unpack200.exe (PID: 6940)
      • unpack200.exe (PID: 7552)
      • unpack200.exe (PID: 7780)
      • unpack200.exe (PID: 7448)
      • windowslauncher.exe (PID: 8472)
      • unpack200.exe (PID: 1116)
      • unpack200.exe (PID: 6788)
      • unpack200.exe (PID: 3588)
      • unpack200.exe (PID: 6704)
      • unpack200.exe (PID: 5896)
      • Remote AccessLauncher.exe (PID: 7904)
      • Remote Access.exe (PID: 8392)
      • SimpleService.exe (PID: 8932)
      • SimpleService.exe (PID: 1600)
      • Remote Access Service.exe (PID: 2228)
      • Remote Access.exe (PID: 2480)
      • SimpleService.exe (PID: 8556)
      • elev_win.exe (PID: 8224)
      • session_win.exe (PID: 7920)

    • Reads the computer name

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • SimpleService.exe (PID: 8932)
      • Remote Access.exe (PID: 8392)
      • SimpleService.exe (PID: 1600)
      • SimpleService.exe (PID: 8556)
      • Remote Access.exe (PID: 2480)
      • session_win.exe (PID: 7920)

    • Reads security settings of Internet Explorer

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • netsh.exe (PID: 8468)
      • netsh.exe (PID: 1688)

    • Creates files in the program directory

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • unpack200.exe (PID: 5888)
      • unpack200.exe (PID: 9020)
      • unpack200.exe (PID: 1116)
      • unpack200.exe (PID: 7448)
      • unpack200.exe (PID: 7552)
      • unpack200.exe (PID: 6940)
      • unpack200.exe (PID: 9076)
      • unpack200.exe (PID: 7780)
      • unpack200.exe (PID: 6788)
      • unpack200.exe (PID: 6704)
      • unpack200.exe (PID: 3588)
      • unpack200.exe (PID: 5896)
      • Remote Access.exe (PID: 8392)
      • Remote AccessLauncher.exe (PID: 7904)
      • Remote Access Service.exe (PID: 2228)
      • Remote Access.exe (PID: 2480)

    • The sample compiled with english language support

      • Invoice-PRMREGVK-0003.exe (PID: 6912)

    • Create files in a temporary directory

      • Invoice-PRMREGVK-0003.exe (PID: 6912)
      • Remote AccessLauncher.exe (PID: 7904)
      • Remote Access.exe (PID: 8392)

    • Reads the machine GUID from the registry

      • Remote Access.exe (PID: 8392)
      • Remote Access.exe (PID: 2480)

    • Creates files or folders in the user directory

      • Remote Access.exe (PID: 8392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:03:18 14:39:36+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 268800
InitializedDataSize: 143872
UninitializedDataSize: -
EntryPoint: 0x1cf10
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.2.11.0
ProductVersionNumber: 10.10.10.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 5.2.11.0
ProductVersion: 5.2.11.0
OriginalFileName:
InternalName:
FileDescription: SimpleHelp Remote Access Client
CompanyName: SimpleHelp Ltd
LegalCopyright: Copyright (c) 2020
ProductName: Remote Access
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
87
Malicious processes
7
Suspicious processes
17

Behavior graph

Click at the process to see the details
start THREAT invoice-prmregvk-0003.exe slui.exe unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs windowslauncher.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs icacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs remote accesslauncher.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs cacls.exe no specs conhost.exe no specs conhost.exe no specs remote access.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs simpleservice.exe no specs simpleservice.exe no specs THREAT simpleservice.exe no specs THREAT remote access service.exe no specs THREAT remote access.exe cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs cacls.exe no specs conhost.exe no specs THREAT session_win.exe no specs elev_win.exe no specs invoice-prmregvk-0003.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
144cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\unrestricted" /e /g "Users":FC:\Windows\System32\cacls.exeInvoice-PRMREGVK-0003.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
1116"C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072194-4-app\bin\unpack200.exe" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072194-4-app\lib\ext\cldrdata.jar.p2" "C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072194-4-app\lib\ext\cldrdata.jar" C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072194-4-app\bin\unpack200.exeInvoice-PRMREGVK-0003.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.1920.12
Modules
Images
c:\programdata\jwrapper-remote access\jwrappertemp-1771072194-4-app\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\programdata\jwrapper-remote access\jwrappertemp-1771072194-4-app\bin\msvcr100.dll
1136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1340\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488cacls "C:\ProgramData\JWrapper-Remote Access\JWApps\JRE-LastSuccessfulOptions-JWrapper-Windows64JRE-00063527423-complete" /e /g "Users":FC:\Windows\System32\cacls.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1600"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe" -install "C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\simplegateway.service"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exeRemote Access.exe
User:
admin
Integrity Level:
HIGH
Exit code:
36507248
Modules
Images
c:\programdata\jwrapper-remote access\jwappssharedconfig\restricted\simpleservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1688netsh advfirewall firewall show rule name=allC:\Windows\System32\netsh.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2052cacls "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00075795303-complete\unrestricted\jwLastRun" /e /g "Users":FC:\Windows\System32\cacls.exeInvoice-PRMREGVK-0003.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2228"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe
SimpleService.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
0
Version:
5.2.11.0
Modules
Images
c:\programdata\jwrapper-remote access\jwappssharedconfig\simplegatewayservice\remote access service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
8 990
Read events
8 940
Write events
34
Delete events
16

Modification events

(PID) Process:(6912) Invoice-PRMREGVK-0003.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6912) Invoice-PRMREGVK-0003.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6912) Invoice-PRMREGVK-0003.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:workingdir
Value:
C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:cmdline
Value:
"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe"
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:auto_restart
Value:
no
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:run_once
Value:
no
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:do_cad
Value:
no
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:stopcmdline
Value:
"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\StopSimpleGatewayService.exe"
(PID) Process:(1600) SimpleService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Access Service\Parameters
Operation:writeName:stopworkingdir
Value:
C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService
Executable files
143
Suspicious files
83
Text files
81
Unknown types
0

Dropped files

PID
Process
Filename
Type
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\nativesplash.pngimage
MD5:A3BE1246247CFC9A93352D288E81F358
SHA256:2F7D3BC8FFBE9B3152EC9C332363247A4E89591FC1349BC0EB2E3A3D93055043
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\JWrapper-Remote Access-splash.pngimage
MD5:A3BE1246247CFC9A93352D288E81F358
SHA256:2F7D3BC8FFBE9B3152EC9C332363247A4E89591FC1349BC0EB2E3A3D93055043
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\libjwutils_macos32.jnilibbinary
MD5:0C0EFBA980BCBA436F5DEA05970A6AC6
SHA256:E0B30A7B14060AD9164BDDBFBA6EB650104DD41ABFCC5D94E4B81B6BC9BD989E
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\libjwutils_macos64.jnilibbinary
MD5:592A6D59C2DC1E78C1E535F573A10A0D
SHA256:AA76B12C98229260D0856EEADF412DC35CF44E440593D539756BF34A1D198D59
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\libjwutils_linux64.sobinary
MD5:D28409795FB3212DC5621A680388AA8E
SHA256:D08B475F3E40077E40BF949DB73DE4836C0318A7D4CFBE310135F445AE7403FB
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\SimpleService.exeexecutable
MD5:FC84549947A1EDE86D95298414282A7C
SHA256:A8E83DDF6590A0B9FD1069BDB9655D5A40CC4432207F402F78DBE84712AC821C
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\jwAuthorPublicKeytext
MD5:1128DCB368DF4E55C20A4657D6B9B6A5
SHA256:B72D40A45A55DF2C60142D734630E5BE9464B52A09CF71A2951BD4553F785A12
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\jwBuildVersiontext
MD5:DAA3C36025E2F86BD0A8D8BF3BE8353B
SHA256:6AFD7786F03601285735B5053A5131887128FD9A214ECF1909290CCF49F01C07
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\JWrapper-Remote Access-ICNS.icnsbinary
MD5:38D961A37088B5B60431EF4B81BC8902
SHA256:60BCAAEF7D51F73A7461FB83D27EFF75353EE0273D0D4A9CD2DFE92D2D50D599
6912Invoice-PRMREGVK-0003.exeC:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1771072130-3-app\jwutils_win32.dllexecutable
MD5:9F266D3D16AA06F96BD4BF055C025AE6
SHA256:4D56D75B9E20D0AD8118E2C96F8304034BFEFF9F1DCECA6F0DD09BB7FFCC9BE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
60
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8100
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8100
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8100
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8100
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8100
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3208
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
184.86.251.4:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3208
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3208
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6912
Invoice-PRMREGVK-0003.exe
18.139.243.159:9999
AMAZON-02
US
unknown
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.bing.com
  • 184.86.251.4
  • 184.86.251.14
  • 184.86.251.27
  • 184.86.251.13
  • 184.86.251.9
  • 184.86.251.24
  • 184.86.251.7
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
  • 13.69.239.77
whitelisted
google.com
  • 142.251.141.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.120
  • 2.16.164.49
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Invoice-PRMREGVK-0003.exe