Windows Analysis Report
SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Analysis ID:	1431437
MD5:	b04a7a20d108af793b0aebbe8b373d14
SHA1:	bfa3ce692c9b7f91004d39deab2cf25277ea0dd4
SHA256:	e9c590f63d01ad5ac273953c5dab1d7a97d63faa3447f80963a23816cbb89aab
Infos:

Detection

Score:	63
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Deletes keys which are related to windows safe boot (disables safe mode boot)

Enables network access during safeboot for specific services

Installs a global keyboard hook

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Writes a notice file (html or txt) to demand a ransom

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Virustotal: Detection: 12%

Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: icacls.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: icacls.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\readme.txt

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000006.00000002.52195885320.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.52216544214.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000008.00000002.52224064989.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000009.00000002.52243811656.00000000666A1000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000006.00000002.52196308620.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.52217017172.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000008.00000002.52224482142.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000009.00000002.52244324116.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000000.52245097591.00007FF631792000.00000002.00000001.01000000.00000008.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,SetErrorMode,	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666363E4 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666363E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666383E8 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666383E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666323A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_666323A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66635EE8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66635EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637F84 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66632C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_66632C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66636DDC FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66636DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637B1C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663885C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_6663885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666368D8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666368D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	17_2_00402DE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then movzx r9d, byte ptr [rdi]	17_2_00404D10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then mov r8, rdi	17_2_004095E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then mov r8d, ebx	17_2_00412980
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then movzx eax, byte ptr [rcx+rdx]	17_2_0040A7C0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+70h]	17_2_00409780

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.11.20:50303 -> 34.173.17.153:80
Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.11.20:50302 -> 34.173.17.153:80

Enables network access during safeboot for specific services

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry value created: NULL Service

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: global traffic

DNS traffic detected: DNS query: simplehelp.vow.cloud

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52091908866.0000000000444000.00000002.00000001.01000000.00000004.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52091908866.0000000000444000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://0.0.254.254%lu
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zuludocs/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zulurelnotes/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52774786445.00000000222E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://localhost/shtarget.txt
Source: unpack200.exe, 00000006.00000003.52172703764.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172494731.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171481881.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172145204.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171884785.0000000001824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa
Source: unpack200.exe, 00000006.00000003.52172703764.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172494731.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171481881.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172145204.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171884785.0000000001824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa.org/POM/4.0.0
Source: unpack200.exe, 00000006.00000003.52193260689.0000000001741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0?
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openjdk.java.net/legal/exception-modules-2007-05-08.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52773593002.0000000025532000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52769571717.0000000025532000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simple-help.com/purchase.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971&
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971v
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971z
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.tsx.org
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com/license/zulu_third_party_licenses.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org/license.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.txt
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/policies-guidelines/ipr
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.simple-help.com
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yourcompany.com/cust)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zulu.org/forum
Source: unpack200.exe, 00000006.00000003.52193481350.000000000174D000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52193260689.0000000001741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maven.apache.org/xsd/maven-4.0.0.xsd
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52774786445.00000000222E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sh52.simplehelp.io/123
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52773134964.000000001F6A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/ateUdpFwdRuleF

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior

Installs a global mouse hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File dropped: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\translations\en.txt -> encryption = setting up session securityverifying_encryption_details = the remote machine is verifying this connection and setting up encryption to protect any transferred data.verifying_password = verifying passwordverifying_password_details = the remote machine is verifying your passwordconnection_closed = connection closedconnection_closed_details = the connection to the remote machine has been terminated# initial update screentapplet_updating = updating, please wait...tapplet_installing = updating, please wait...tapplet_launching = launching...# web page infodont_see_below = don't see anything below?click_here = (click here)no_javascript_support = your browser does not support javascript.<p></p>javascript is required to view this page, please enable it in your browser or add this site to the trusted sites in your browser settings.no_java_message_part_one = if you don't see anything in the space below then your browser probably doesn't have the latest java runtime.<p></p>you can fix this by d

Jump to dropped file

System Summary

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667A2BC	6_2_6667A2BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667CBA0	6_2_6667CBA0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669A668	6_2_6669A668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666E668	6_2_6666E668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662B624	6_2_6662B624
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664C6A0	6_2_6664C6A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666206B0	6_2_666206B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666456B8	6_2_666456B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D36B0	6_2_666D36B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A760	6_2_6663A760
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A77C	6_2_6664A77C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662D73C	6_2_6662D73C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667B7E4	6_2_6667B7E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665C7E8	6_2_6665C7E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663B7C4	6_2_6663B7C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666877D0	6_2_666877D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666427AC	6_2_666427AC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66683444	6_2_66683444
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66677448	6_2_66677448
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663F454	6_2_6663F454
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A410	6_2_6664A410
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666424D0	6_2_666424D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666974DC	6_2_666974DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666484BC	6_2_666484BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668F558	6_2_6668F558
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66660244	6_2_66660244
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669323C	6_2_6669323C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66691200	6_2_66691200
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669D2F8	6_2_6669D2F8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666D2C4	6_2_6666D2C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668E2B8	6_2_6668E2B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666962B0	6_2_666962B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668D2B4	6_2_6668D2B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66640288	6_2_66640288
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649294	6_2_66649294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661B298	6_2_6661B298
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663C350	6_2_6663C350
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665E3FC	6_2_6665E3FC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66663050	6_2_66663050
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669D028	6_2_6669D028
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66690008	6_2_66690008
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668800C	6_2_6668800C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66683010	6_2_66683010
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A0EC	6_2_6664A0EC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661D0E8	6_2_6661D0E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664B1E0	6_2_6664B1E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A1F0	6_2_6663A1F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66648194	6_2_66648194
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66685E5C	6_2_66685E5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66648E10	6_2_66648E10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663BE1C	6_2_6663BE1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66669EEC	6_2_66669EEC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66661EE8	6_2_66661EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66664EC4	6_2_66664EC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664AE9C	6_2_6664AE9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66667F74	6_2_66667F74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649F44	6_2_66649F44
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668DF5C	6_2_6668DF5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66676F58	6_2_66676F58
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665EFE8	6_2_6665EFE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66698FF0	6_2_66698FF0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649C74	6_2_66649C74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66686C0C	6_2_66686C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66638CF8	6_2_66638CF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66687CC4	6_2_66687CC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66668CD4	6_2_66668CD4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665BC80	6_2_6665BC80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66663C9C	6_2_66663C9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66644D40	6_2_66644D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669AD2C	6_2_6669AD2C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666CDE8	6_2_6666CDE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66630DCC	6_2_66630DCC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66684DAC	6_2_66684DAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66647DB0	6_2_66647DB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66693A18	6_2_66693A18
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665AA10	6_2_6665AA10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66647AF4	6_2_66647AF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66639AAC	6_2_66639AAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645A94	6_2_66645A94
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666CB3C	6_2_6666CB3C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66684B04	6_2_66684B04
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66642BF4	6_2_66642BF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66666BF8	6_2_66666BF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668EBD8	6_2_6668EBD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66675BB0	6_2_66675BB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645B88	6_2_66645B88
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66658830	6_2_66658830
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666428D4	6_2_666428D4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661D8B4	6_2_6661D8B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66659888	6_2_66659888
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662C894	6_2_6662C894
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645958	6_2_66645958
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66686924	6_2_66686924
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A92C	6_2_6663A92C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66657938	6_2_66657938
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666D904	6_2_6666D904
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665D900	6_2_6665D900
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666659E0	6_2_666659E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178BC38	6_2_00007FF63178BC38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631783004	6_2_00007FF631783004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771294	6_2_00007FF631771294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771311	6_2_00007FF631771311
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771032	6_2_00007FF631771032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317721B8	6_2_00007FF6317721B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631788178	6_2_00007FF631788178
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177E4E0	6_2_00007FF63177E4E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178462C	6_2_00007FF63178462C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631783004	6_2_00007FF631783004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177164A	6_2_00007FF63177164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177CA54	6_2_00007FF63177CA54
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771032	6_2_00007FF631771032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317714D3	6_2_00007FF6317714D3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771456	6_2_00007FF631771456
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771299	6_2_00007FF631771299
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771122	6_2_00007FF631771122
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771DDC	6_2_00007FF631771DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177164A	6_2_00007FF63177164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631774FE8	6_2_00007FF631774FE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00410400	17_2_00410400
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00410CD0	17_2_00410CD0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004081B0	17_2_004081B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040E6D0	17_2_0040E6D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040DED0	17_2_0040DED0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004036B0	17_2_004036B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00405060	17_2_00405060
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004058D0	17_2_004058D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040A0B0	17_2_0040A0B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004030B0	17_2_004030B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406D40	17_2_00406D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004011D0	17_2_004011D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0	17_2_00402DE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00404E50	17_2_00404E50
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040CAC0	17_2_0040CAC0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040D2A0	17_2_0040D2A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004052A0	17_2_004052A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00409F40	17_2_00409F40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040CF60	17_2_0040CF60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040DBE0	17_2_0040DBE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004063F0	17_2_004063F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00409780	17_2_00409780
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040FBA0	17_2_0040FBA0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe 5F2152402826190E1760C7E49F543B854C9AD0CFF5ACE5A398A1EB6750E97636

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: String function: 00007FF6317716B3 appears 75 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: String function: 004025D8 appears 42 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52092044556.000000000046B000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Source: classification engine

Classification label: mal63.rans.spyw.evad.winEXE@54/235@2/2

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe

Code function: 17_2_00401EEC GetLastError,FormatMessageA,lstrlenA,lstrlenA,LocalAlloc,LocalFree,LocalFree,

17_2_00401EEC

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66633DA4 GetDiskFreeSpaceA,GetLastError,

6_2_66633DA4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:304:WilStaging_02

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user\2608

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Virustotal: Detection: 12%

Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: unknown	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wifidatacapabilityhandler.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cellulardatacapabilityhandler.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: glu32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: glu32.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static file information: File size 1797640 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000006.00000002.52195885320.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.52216544214.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000008.00000002.52224064989.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000009.00000002.52243811656.00000000666A1000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000006.00000002.52196308620.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.52217017172.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000008.00000002.52224482142.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000009.00000002.52244324116.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000000.52245097591.00007FF631792000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666296BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_666296BC

PE file contains an invalid checksum

Source: pack200.exe.3.dr	Static PE information: real checksum: 0x5fdd should be: 0x7713
Source: java.exe.3.dr	Static PE information: real checksum: 0x33084 should be: 0x3cd32
Source: javaw.exe.3.dr	Static PE information: real checksum: 0x3ff01 should be: 0x41637
Source: windowslauncher.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Static PE information: real checksum: 0x68141 should be: 0x1c331d
Source: jwutils_win32.dll.3.dr	Static PE information: real checksum: 0x26170 should be: 0x34425
Source: jjs.exe.3.dr	Static PE information: real checksum: 0xd1e5 should be: 0xc81f
Source: jvm.dll.3.dr	Static PE information: real checksum: 0x8a0779 should be: 0x8a10db
Source: Remote SupportWinLauncher.exe.3.dr	Static PE information: real checksum: 0x55001 should be: 0x9a6d7
Source: java-rmi.exe.3.dr	Static PE information: real checksum: 0xc872 should be: 0x6521
Source: Remote Support.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: jwutils_win64.dll.3.dr	Static PE information: real checksum: 0x3ac9d should be: 0x4216b
Source: freetype.dll.3.dr	Static PE information: real checksum: 0xaf521 should be: 0xa6754
Source: Remote SupportECompatibility.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: jwutils_win64.dll0.3.dr	Static PE information: real checksum: 0x3ac9d should be: 0x4216b
Source: jwutils_win32.dll0.3.dr	Static PE information: real checksum: 0x26170 should be: 0x34425
Source: elev_win.exe.3.dr	Static PE information: real checksum: 0x19839 should be: 0x348b4
Source: unpack200.exe.3.dr	Static PE information: real checksum: 0x3ad77 should be: 0x3b9ae
Source: session_win.exe.3.dr	Static PE information: real checksum: 0x18543 should be: 0x21840
Source: SimpleService.exe.3.dr	Static PE information: real checksum: 0x1afc4 should be: 0x3ef28

PE file contains sections with non-standard names

Source: msvcr100.dll.3.dr	Static PE information: section name: _CONST
Source: msvcr100.dll.3.dr	Static PE information: section name: text

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666DB37B push rbp; iretd	6_2_666DB38E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D6E1B push rbp; iretd	6_2_666D6E2E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D8B1D push rcx; retf 003Fh	6_2_666D8B1E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D7885 push 0000003Eh; ret	6_2_666D7887

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JavaAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\server\jvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_dxgi64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_wnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\WindowsAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JAWTAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shpty64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty64.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\readme.txt

Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShTemporaryService66694190\Parameters

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6662D73C GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,

6_2_6662D73C

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Name, Model, InterfaceType, MediaType, Size, SerialNumber from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6662BAC4 rdtsc

6_2_6662BAC4

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JavaAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_dxgi64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\server\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_wnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\WindowsAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JAWTAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shpty64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty64.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe TID: 5768

Thread sleep time: -60000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Version,Name,Manufacturer from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber,Version,Vendor,Name from Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,SetErrorMode,	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666363E4 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666363E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666383E8 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666383E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666323A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_666323A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66635EE8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66635EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637F84 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66632C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_66632C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66636DDC FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66636DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637B1C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663885C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_6663885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666368D8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666368D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	17_2_00402DE0

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66679780 VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

6_2_66679780

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\	Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EWindows Server Datacenter Edition without Hyper-V (Full installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.0000000000603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWih
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LWindows Server Datacenter Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Copyright (C) 2009 VMware, Inc. All Rights Reserved.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JWindows Server Standard Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /Windows Server Standard Edition without Hyper-V
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .Windows Compute Cluster Server without Hyper-V
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.0000000000603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LWindows Server Enterprise Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JWindows Server 2008 without Hyper-V for Windows Essential Server Solutions
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EWindows Server Enterprise Edition without Hyper-V (Full installation)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6662BAC4 rdtsc

6_2_6662BAC4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666806B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_666806B0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666296BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_666296BC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6667ECC8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

6_2_6667ECC8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666806B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_666806B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666802A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_666802A4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317A03F0 SetUnhandledExceptionFilter,	6_2_00007FF6317A03F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178EA60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_00007FF63178EA60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178F064 SetUnhandledExceptionFilter,	6_2_00007FF63178F064
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406880 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00406880
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040F500 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0040F500
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406230 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00406230
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004062D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_004062D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote supportecompatibility.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\unrestricted\jwlaunchproperties-1714016482748-0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\unrestricted\jwlaunchproperties-1714016484279-3"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote supportecompatibility.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\unrestricted\jwlaunchproperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\unrestricted\jwlaunchproperties-1714016484279-3"	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,	6_2_6668B6E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoW,	6_2_6668B7CC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,	6_2_666895DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_66681058
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,	6_2_6668BC6C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,	6_2_6668BD0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,	6_2_6668BD80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,GetLocaleInfoW,	6_2_6668BB38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	6_2_6668B864
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: GetLocaleInfoA,	17_2_00412F00

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Queries volume information: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-JWrapper-00089360978-complete\nativesplash.png VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Queries volume information: C:\ProgramData\SimpleHelp\ElevateSH\lock VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6664B768 GetLocalTime,

6_2_6664B768

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66648E10 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

6_2_66648E10

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66678E68 HeapCreate,GetVersion,HeapSetInformation,

6_2_66678E68

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ShTemporaryService66694190

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.173.17.153	simplehelp.vow.cloud	United States		2686	ATGS-MMD-ASUS	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
simplehelp.vow.cloud	34.173.17.153	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://simplehelp.vow.cloud/branding/applet_splash.png?a=3	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support_os_jwwin-version.txt	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support_os_jwwin-00089360998-archive.p2.l2	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/branding/brandingfiles?a=3	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/simplehelpdisclaimer.txt?language=en	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/translations_user/en.txt	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support-version.txt	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/simplehelpdetails.txt	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/branding/branding.properties?a=3	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support-00089360998-archive.p2.l2	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support_winutils64-version.txt	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/server_side_parameters	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-JWrapper-version.txt	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971	true	Avira URL Cloud: safe	unknown
http://simplehelp.vow.cloud/customer/JWrapper-Remote%20Support_winutils64-00089360998-archive.p2.l2	true	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Virustotal: Detection: 12%

Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: icacls.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: icacls.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\readme.txt

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000006.00000002.52195885320.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.52216544214.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000008.00000002.52224064989.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000009.00000002.52243811656.00000000666A1000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000006.00000002.52196308620.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.52217017172.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000008.00000002.52224482142.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000009.00000002.52244324116.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000000.52245097591.00007FF631792000.00000002.00000001.01000000.00000008.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,SetErrorMode,	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666363E4 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666363E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666383E8 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666383E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666323A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_666323A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66635EE8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66635EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637F84 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66632C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_66632C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66636DDC FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66636DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637B1C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663885C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_6663885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666368D8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666368D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	17_2_00402DE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then movzx r9d, byte ptr [rdi]	17_2_00404D10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then mov r8, rdi	17_2_004095E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then mov r8d, ebx	17_2_00412980
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then movzx eax, byte ptr [rcx+rdx]	17_2_0040A7C0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+70h]	17_2_00409780

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.11.20:50303 -> 34.173.17.153:80
Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.11.20:50302 -> 34.173.17.153:80

Enables network access during safeboot for specific services

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry value created: NULL Service

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=324398971 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-00084000053-archive.p2.l2 HTTP/1.1User-Agent: JWrapperDownloaderHost: simplehelp.vow.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_os_jwwin-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support_winutils64-00089360998-archive.p2.l2 HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: simplehelp.vow.cloudAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: global traffic

DNS traffic detected: DNS query: simplehelp.vow.cloud

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52091908866.0000000000444000.00000002.00000001.01000000.00000004.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52091908866.0000000000444000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://0.0.254.254%lu
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zuludocs/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zulurelnotes/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52774786445.00000000222E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://localhost/shtarget.txt
Source: unpack200.exe, 00000006.00000003.52172703764.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172494731.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171481881.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172145204.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171884785.0000000001824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa
Source: unpack200.exe, 00000006.00000003.52172703764.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172494731.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171481881.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52172145204.0000000001824000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52171884785.0000000001824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa.org/POM/4.0.0
Source: unpack200.exe, 00000006.00000003.52193260689.0000000001741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0?
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openjdk.java.net/legal/exception-modules-2007-05-08.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52773593002.0000000025532000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52769571717.0000000025532000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simple-help.com/purchase.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971&
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971v
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://simplehelp.vow.cloud/customer/JWrapper-Windows64JRE-version.txt?time=324398971z
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.tsx.org
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com/license/zulu_third_party_licenses.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org/license.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.txt
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/policies-guidelines/ipr
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.simple-help.com
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52749769515.0000000025327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yourcompany.com/cust)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zulu.org/forum
Source: unpack200.exe, 00000006.00000003.52193481350.000000000174D000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000006.00000003.52193260689.0000000001741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maven.apache.org/xsd/maven-4.0.0.xsd
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52774786445.00000000222E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sh52.simplehelp.io/123
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.00000000035FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52773134964.000000001F6A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/ateUdpFwdRuleF

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior

Installs a global mouse hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Jump to dropped file

System Summary

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667A2BC	6_2_6667A2BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667CBA0	6_2_6667CBA0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669A668	6_2_6669A668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666E668	6_2_6666E668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662B624	6_2_6662B624
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664C6A0	6_2_6664C6A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666206B0	6_2_666206B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666456B8	6_2_666456B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D36B0	6_2_666D36B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A760	6_2_6663A760
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A77C	6_2_6664A77C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662D73C	6_2_6662D73C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6667B7E4	6_2_6667B7E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665C7E8	6_2_6665C7E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663B7C4	6_2_6663B7C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666877D0	6_2_666877D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666427AC	6_2_666427AC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66683444	6_2_66683444
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66677448	6_2_66677448
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663F454	6_2_6663F454
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A410	6_2_6664A410
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666424D0	6_2_666424D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666974DC	6_2_666974DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666484BC	6_2_666484BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668F558	6_2_6668F558
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66660244	6_2_66660244
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669323C	6_2_6669323C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66691200	6_2_66691200
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669D2F8	6_2_6669D2F8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666D2C4	6_2_6666D2C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668E2B8	6_2_6668E2B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666962B0	6_2_666962B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668D2B4	6_2_6668D2B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66640288	6_2_66640288
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649294	6_2_66649294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661B298	6_2_6661B298
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663C350	6_2_6663C350
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665E3FC	6_2_6665E3FC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66663050	6_2_66663050
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669D028	6_2_6669D028
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66690008	6_2_66690008
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668800C	6_2_6668800C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66683010	6_2_66683010
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664A0EC	6_2_6664A0EC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661D0E8	6_2_6661D0E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664B1E0	6_2_6664B1E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A1F0	6_2_6663A1F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66648194	6_2_66648194
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66685E5C	6_2_66685E5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66648E10	6_2_66648E10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663BE1C	6_2_6663BE1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66669EEC	6_2_66669EEC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66661EE8	6_2_66661EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66664EC4	6_2_66664EC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6664AE9C	6_2_6664AE9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66667F74	6_2_66667F74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649F44	6_2_66649F44
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668DF5C	6_2_6668DF5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66676F58	6_2_66676F58
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665EFE8	6_2_6665EFE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66698FF0	6_2_66698FF0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66649C74	6_2_66649C74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66686C0C	6_2_66686C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66638CF8	6_2_66638CF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66687CC4	6_2_66687CC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66668CD4	6_2_66668CD4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665BC80	6_2_6665BC80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66663C9C	6_2_66663C9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66644D40	6_2_66644D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6669AD2C	6_2_6669AD2C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666CDE8	6_2_6666CDE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66630DCC	6_2_66630DCC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66684DAC	6_2_66684DAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66647DB0	6_2_66647DB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66693A18	6_2_66693A18
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665AA10	6_2_6665AA10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66647AF4	6_2_66647AF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66639AAC	6_2_66639AAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645A94	6_2_66645A94
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666CB3C	6_2_6666CB3C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66684B04	6_2_66684B04
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66642BF4	6_2_66642BF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66666BF8	6_2_66666BF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6668EBD8	6_2_6668EBD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66675BB0	6_2_66675BB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645B88	6_2_66645B88
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66658830	6_2_66658830
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666428D4	6_2_666428D4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6661D8B4	6_2_6661D8B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66659888	6_2_66659888
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6662C894	6_2_6662C894
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66645958	6_2_66645958
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66686924	6_2_66686924
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663A92C	6_2_6663A92C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66657938	6_2_66657938
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6666D904	6_2_6666D904
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6665D900	6_2_6665D900
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666659E0	6_2_666659E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178BC38	6_2_00007FF63178BC38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631783004	6_2_00007FF631783004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771294	6_2_00007FF631771294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771311	6_2_00007FF631771311
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771032	6_2_00007FF631771032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317721B8	6_2_00007FF6317721B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631788178	6_2_00007FF631788178
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177E4E0	6_2_00007FF63177E4E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178462C	6_2_00007FF63178462C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631783004	6_2_00007FF631783004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177164A	6_2_00007FF63177164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177CA54	6_2_00007FF63177CA54
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771032	6_2_00007FF631771032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317714D3	6_2_00007FF6317714D3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771456	6_2_00007FF631771456
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771299	6_2_00007FF631771299
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771122	6_2_00007FF631771122
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631771DDC	6_2_00007FF631771DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63177164A	6_2_00007FF63177164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF631774FE8	6_2_00007FF631774FE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00410400	17_2_00410400
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00410CD0	17_2_00410CD0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004081B0	17_2_004081B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040E6D0	17_2_0040E6D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040DED0	17_2_0040DED0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004036B0	17_2_004036B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00405060	17_2_00405060
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004058D0	17_2_004058D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040A0B0	17_2_0040A0B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004030B0	17_2_004030B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406D40	17_2_00406D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004011D0	17_2_004011D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0	17_2_00402DE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00404E50	17_2_00404E50
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040CAC0	17_2_0040CAC0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040D2A0	17_2_0040D2A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004052A0	17_2_004052A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00409F40	17_2_00409F40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040CF60	17_2_0040CF60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040DBE0	17_2_0040DBE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004063F0	17_2_004063F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00409780	17_2_00409780
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040FBA0	17_2_0040FBA0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe 5F2152402826190E1760C7E49F543B854C9AD0CFF5ACE5A398A1EB6750E97636

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: String function: 00007FF6317716B3 appears 75 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: String function: 004025D8 appears 42 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.000000000359A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000000.52092044556.000000000046B000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Source: classification engine

Classification label: mal63.rans.spyw.evad.winEXE@54/235@2/2

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe

Code function: 17_2_00401EEC GetLastError,FormatMessageA,lstrlenA,lstrlenA,LocalAlloc,LocalFree,LocalFree,

17_2_00401EEC

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66633DA4 GetDiskFreeSpaceA,GetLastError,

6_2_66633DA4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:304:WilStaging_02

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user\2608

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Virustotal: Detection: 12%

Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: unknown	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wifidatacapabilityhandler.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cellulardatacapabilityhandler.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: glu32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: glu32.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Static file information: File size 1797640 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000006.00000002.52195885320.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.52216544214.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000008.00000002.52224064989.00000000666A1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000009.00000002.52243811656.00000000666A1000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000006.00000002.52196308620.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.52217017172.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000008.00000002.52224482142.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000009.00000002.52244324116.00007FF631792000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000000.52245097591.00007FF631792000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666296BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_666296BC

PE file contains an invalid checksum

Source: pack200.exe.3.dr	Static PE information: real checksum: 0x5fdd should be: 0x7713
Source: java.exe.3.dr	Static PE information: real checksum: 0x33084 should be: 0x3cd32
Source: javaw.exe.3.dr	Static PE information: real checksum: 0x3ff01 should be: 0x41637
Source: windowslauncher.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Static PE information: real checksum: 0x68141 should be: 0x1c331d
Source: jwutils_win32.dll.3.dr	Static PE information: real checksum: 0x26170 should be: 0x34425
Source: jjs.exe.3.dr	Static PE information: real checksum: 0xd1e5 should be: 0xc81f
Source: jvm.dll.3.dr	Static PE information: real checksum: 0x8a0779 should be: 0x8a10db
Source: Remote SupportWinLauncher.exe.3.dr	Static PE information: real checksum: 0x55001 should be: 0x9a6d7
Source: java-rmi.exe.3.dr	Static PE information: real checksum: 0xc872 should be: 0x6521
Source: Remote Support.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: jwutils_win64.dll.3.dr	Static PE information: real checksum: 0x3ac9d should be: 0x4216b
Source: freetype.dll.3.dr	Static PE information: real checksum: 0xaf521 should be: 0xa6754
Source: Remote SupportECompatibility.exe.3.dr	Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: jwutils_win64.dll0.3.dr	Static PE information: real checksum: 0x3ac9d should be: 0x4216b
Source: jwutils_win32.dll0.3.dr	Static PE information: real checksum: 0x26170 should be: 0x34425
Source: elev_win.exe.3.dr	Static PE information: real checksum: 0x19839 should be: 0x348b4
Source: unpack200.exe.3.dr	Static PE information: real checksum: 0x3ad77 should be: 0x3b9ae
Source: session_win.exe.3.dr	Static PE information: real checksum: 0x18543 should be: 0x21840
Source: SimpleService.exe.3.dr	Static PE information: real checksum: 0x1afc4 should be: 0x3ef28

PE file contains sections with non-standard names

Source: msvcr100.dll.3.dr	Static PE information: section name: _CONST
Source: msvcr100.dll.3.dr	Static PE information: section name: text

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666DB37B push rbp; iretd	6_2_666DB38E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D6E1B push rbp; iretd	6_2_666D6E2E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D8B1D push rcx; retf 003Fh	6_2_666D8B1E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666D7885 push 0000003Eh; ret	6_2_666D7887

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JavaAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\server\jvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_dxgi64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_wnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\WindowsAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JAWTAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shpty64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty64.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\readme.txt

Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShTemporaryService66694190\Parameters

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

6_2_6662D73C

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Name, Model, InterfaceType, MediaType, Size, SerialNumber from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6662BAC4 rdtsc

6_2_6662BAC4

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JavaAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_dxgi64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\server\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\utils_wnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\WindowsAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\JAWTAccessBridge-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\shpty64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016349-5-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\winpty64.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe TID: 5768

Thread sleep time: -60000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Version,Name,Manufacturer from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber,Version,Vendor,Name from Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666344A8 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,SetErrorMode,	6_2_666344A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666363E4 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666363E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666383E8 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666383E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666323A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_666323A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66635EE8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66635EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66633F10 FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,FindFirstFileExA,GetLastError,FindNextFileA,GetLastError,	6_2_66633F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637F84 FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66632C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_66632C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66636DDC FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66636DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_66637B1C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_66637B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_6663885C FindFirstFileExW,GetDriveTypeW,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_6663885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666368D8 FindFirstFileExA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	6_2_666368D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666349E4 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	6_2_666349E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	17_2_00402DE0

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66679780 VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

6_2_66679780

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\	Jump to behavior

Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EWindows Server Datacenter Edition without Hyper-V (Full installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.0000000000603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWih
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LWindows Server Datacenter Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52711500584.0000000004902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Copyright (C) 2009 VMware, Inc. All Rights Reserved.
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JWindows Server Standard Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /Windows Server Standard Edition without Hyper-V
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .Windows Compute Cluster Server without Hyper-V
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52121458732.0000000000603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52716283299.000000001DADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LWindows Server Enterprise Edition without Hyper-V (Server Core installation)
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JWindows Server 2008 without Hyper-V for Windows Essential Server Solutions
Source: SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe, 00000003.00000003.52097487555.0000000003244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EWindows Server Enterprise Edition without Hyper-V (Full installation)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6662BAC4 rdtsc

6_2_6662BAC4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666806B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_666806B0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_666296BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_666296BC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6667ECC8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

6_2_6667ECC8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666806B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_666806B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_666802A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_666802A4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF6317A03F0 SetUnhandledExceptionFilter,	6_2_00007FF6317A03F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178EA60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_00007FF63178EA60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: 6_2_00007FF63178F064 SetUnhandledExceptionFilter,	6_2_00007FF63178F064
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406880 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00406880
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_0040F500 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0040F500
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_00406230 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00406230
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: 17_2_004062D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_004062D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016472876-5\unrestricted\JWLaunchProperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\unrestricted\JWLaunchProperties-1714016484279-3"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\." /t /c /grant *S-1-1-0:(OI)(CI)F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher4406301724889628321.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService66694190
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\jwrapper_utils.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\customer.jar;C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\sevenzip.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote supportecompatibility.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\unrestricted\jwlaunchproperties-1714016482748-0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\unrestricted\jwlaunchproperties-1714016484279-3"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\access-bridge-64.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016412-6-app\lib\rt.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote SupportECompatibility.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote supportecompatibility.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1714016472876-5\unrestricted\jwlaunchproperties-1714016482748-0"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2 jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\unrestricted\jwlaunchproperties-1714016484279-3"	Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00089360998-complete\session_win.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "50309" "127.0.0.1" "50310" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\jwrapper_utils.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\customer.jar;c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete\sevenzip.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00089360998-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 50312 127.0.0.1 50313 elevated_backup

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,	6_2_6668B6E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoW,	6_2_6668B7CC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,	6_2_666895DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_66681058
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,	6_2_6668BC6C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,	6_2_6668BD0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,	6_2_6668BD80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,GetLocaleInfoW,	6_2_6668BB38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	6_2_6668B864
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\windowslauncher.exe	Code function: GetLocaleInfoA,	17_2_00412F00

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe	Queries volume information: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-JWrapper-00089360978-complete\nativesplash.png VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe	Queries volume information: C:\ProgramData\SimpleHelp\ElevateSH\lock VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_6664B768 GetLocalTime,

6_2_6664B768

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66648E10 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

6_2_66648E10

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1714016412-6-app\bin\unpack200.exe

Code function: 6_2_66678E68 HeapCreate,GetVersion,HeapSetInformation,

6_2_66678E68

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ShTemporaryService66694190

ID:	1431437
Product:	CloudBasic
Start time:	05:37:07
Start date:	25.04.2024
Sample:	SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	b04a7a20d108af793b0aebbe8b373d14
SHA1:	bfa3ce692c9b7f91004d39deab2cf25277ea0dd4
SHA256:	e9c590f63d01ad5ac273953c5dab1d7a97d63faa3447f80963a23816cbb89aab
Filetype:	Win64 Executable GUI (202006/5) 87.40%

Windows Analysis Report SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe