File name:

letsvpn-latest.exe

Full analysis: https://app.any.run/tasks/abc8db10-f639-4b99-a90c-e2e6e79a8242
Verdict: Malicious activity
Analysis date: September 14, 2024, 03:45:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

94F6BD702B7A2E17C45D16EAF7DA0D64

SHA1:

45F8C05851BCF16416E087253CE962B320E9DB8A

SHA256:

07F44325EAB13B01D536A42E90A0247C6EFECF23CCD4586309828AA814F5C776

SSDEEP:

196608:KVRrUSWRLbOXpTQy3DJajGVYwDfMtuxfsC5abtpByzr:KVFjeLbYtQyUjGVYwD04psC4tpByn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4668)
      • powershell.exe (PID: 1752)

    • Changes powershell execution policy (Bypass)

      • letsvpn-latest.exe (PID: 5704)

    • Changes the autorun value in the registry

      • LetsPRO.exe (PID: 6592)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • letsvpn-latest.exe (PID: 5704)

    • Executable content was dropped or overwritten

      • letsvpn-latest.exe (PID: 5704)
      • tapinstall.exe (PID: 3328)
      • drvinst.exe (PID: 4692)
      • drvinst.exe (PID: 2008)

    • Starts POWERSHELL.EXE for commands execution

      • letsvpn-latest.exe (PID: 5704)

    • Checks processor architecture

      • powershell.exe (PID: 4668)

    • Drops a system driver (possible attempt to evade defenses)

      • letsvpn-latest.exe (PID: 5704)
      • tapinstall.exe (PID: 3328)
      • drvinst.exe (PID: 4692)
      • drvinst.exe (PID: 2008)

    • The process executes Powershell scripts

      • letsvpn-latest.exe (PID: 5704)

    • Reads security settings of Internet Explorer

      • tapinstall.exe (PID: 3328)
      • LetsPRO.exe (PID: 6592)

    • Checks Windows Trust Settings

      • tapinstall.exe (PID: 3328)
      • drvinst.exe (PID: 4692)
      • LetsPRO.exe (PID: 6592)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4692)
      • drvinst.exe (PID: 2008)
      • LetsPRO.exe (PID: 6592)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 2008)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 5612)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 5476)
      • cmd.exe (PID: 5220)

    • Creates a software uninstall entry

      • letsvpn-latest.exe (PID: 5704)

    • Starts CMD.EXE for commands execution

      • letsvpn-latest.exe (PID: 5704)
      • LetsPRO.exe (PID: 6592)

    • The process checks if it is being run in the virtual environment

      • LetsPRO.exe (PID: 6592)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 5072)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 6516)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5612)

    • Suspicious use of NETSH.EXE

      • LetsPRO.exe (PID: 6592)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5096)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 4680)

  • INFO

    • Checks supported languages

      • letsvpn-latest.exe (PID: 5704)
      • tapinstall.exe (PID: 3328)
      • tapinstall.exe (PID: 5172)
      • drvinst.exe (PID: 4692)
      • drvinst.exe (PID: 2008)
      • LetsPRO.exe (PID: 360)
      • tapinstall.exe (PID: 4732)
      • LetsPRO.exe (PID: 6592)

    • Create files in a temporary directory

      • letsvpn-latest.exe (PID: 5704)
      • tapinstall.exe (PID: 3328)
      • LetsPRO.exe (PID: 6592)

    • Reads the computer name

      • letsvpn-latest.exe (PID: 5704)
      • tapinstall.exe (PID: 3328)
      • drvinst.exe (PID: 4692)
      • drvinst.exe (PID: 2008)
      • LetsPRO.exe (PID: 6592)

    • Creates files in the program directory

      • letsvpn-latest.exe (PID: 5704)
      • LetsPRO.exe (PID: 6592)

    • Creates files or folders in the user directory

      • letsvpn-latest.exe (PID: 5704)
      • LetsPRO.exe (PID: 6592)

    • The process uses the downloaded file

      • powershell.exe (PID: 1752)
      • LetsPRO.exe (PID: 6592)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1752)
      • LetsPRO.exe (PID: 6592)

    • Reads the software policy settings

      • tapinstall.exe (PID: 3328)
      • drvinst.exe (PID: 4692)
      • LetsPRO.exe (PID: 6592)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1752)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 4692)
      • tapinstall.exe (PID: 3328)
      • LetsPRO.exe (PID: 6592)

    • Reads the time zone

      • LetsPRO.exe (PID: 6592)

    • Disables trace logs

      • LetsPRO.exe (PID: 6592)
      • netsh.exe (PID: 7132)

    • Checks proxy server information

      • LetsPRO.exe (PID: 6592)

    • Attempting to connect via WebSocket

      • LetsPRO.exe (PID: 6592)

    • Reads Windows Product ID

      • LetsPRO.exe (PID: 6592)

    • Reads CPU info

      • LetsPRO.exe (PID: 6592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
43
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start letsvpn-latest.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs tapinstall.exe no specs conhost.exe no specs letspro.exe no specs letspro.exe wmiapsrv.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs arp.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs letsvpn-latest.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
360"C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exeletsvpn-latest.exe
User:
admin
Integrity Level:
HIGH
Description:
LetsVPN
Exit code:
0
Version:
3.10.2
Modules
Images
c:\program files (x86)\letsvpn\letspro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
780"C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exe" C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\letsvpn-latest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetapinstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1752powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeletsvpn-latest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "00000000000001CC"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2024\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2796route printC:\Windows\SysWOW64\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\route.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2816\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetapinstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 619
Read events
52 449
Write events
152
Delete events
18

Modification events

(PID) Process:(5704) letsvpn-latest.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lets
Operation:writeName:InstallTimeStamp
Value:
20240914034528.566
(PID) Process:(5704) letsvpn-latest.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lets
Operation:writeName:InstallNewVersion
Value:
3.10.2
(PID) Process:(3328) tapinstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
Operation:writeName:Owners
Value:
oem1.inf
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/tap0901.sys
Operation:writeName:Owners
Value:
oem1.inf
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Configuration
Value:
tap0901.ndi
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Manufacturer
Value:
%provider%
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Description
Value:
%devicedescription%
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:writeName:Service
Value:
tap0901
(PID) Process:(2008) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:writeName:ConfigScope
Value:
5
Executable files
222
Suspicious files
29
Text files
22
Unknown types
4

Dropped files

PID
Process
Filename
Type
5704letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsbA91A.tmp\nsExec.dllexecutable
MD5:3D366250FCF8B755FCE575C75F8C79E4
SHA256:8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
4668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_booiwele.43b.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5704letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsbA91A.tmp\nsDialogs.dllexecutable
MD5:CA95C9DA8CEF7062813B989AB9486201
SHA256:FEB6364375D0AB081E9CDF11271C40CB966AF295C600903383B0730F0821C0BE
5704letsvpn-latest.exeC:\Program Files (x86)\letsvpn\driver\OemVista.infbinary
MD5:26009F092BA352C1A64322268B47E0E3
SHA256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
4668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mkexmueu.15p.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5704letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsbA91A.tmp\modern-wizard.bmpimage
MD5:7F8E1969B0874C8FB9AB44FC36575380
SHA256:076221B4527FF13C3E1557ABBBD48B0CB8E5F7D724C6B9171C6AADADB80561DD
5704letsvpn-latest.exeC:\Program Files (x86)\letsvpn\Update.exeexecutable
MD5:3438046B7162AAD3BD7C9B389D3E4901
SHA256:92EA2A1C24BF5C06400EB09E46A11977F9B186BEDC62C6A4243858A00CDEC30A
4668powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:B8051B91EA473B94B3D80626E809FFB3
SHA256:C82ED90DA3AF1BB6D54172641CDAC2C50887A4D74194C404AEC7CB40028D7AA5
5704letsvpn-latest.exeC:\Program Files (x86)\letsvpn\driver\tapinstall.exeexecutable
MD5:1E3CF83B17891AEE98C3E30012F0B034
SHA256:9F45A39015774EEAA2A6218793EDC8E6273EB9F764F3AEDEE5CF9E9CCACDB53F
5704letsvpn-latest.exeC:\Program Files (x86)\letsvpn\driver\tap0901.catbinary
MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
SHA256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
101
DNS requests
26
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6612
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6592
LetsPRO.exe
GET
101
52.220.81.111:80
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2
unknown
whitelisted
1064
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5172
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5172
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6232
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6612
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6612
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1064
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1064
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
508
svchost.exe
184.30.17.189:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
www.baidu.com
  • 103.235.46.96
  • 103.235.47.188
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
letsvpn-latest.exe