File name:

letsvpn-latest.exe

Full analysis: https://app.any.run/tasks/836d686c-850c-44f9-9b0e-937f0d57eab9
Verdict: Malicious activity
Analysis date: November 20, 2024, 11:56:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E680B7E43F6FB7DAB7FCD9A07F0B9367

SHA1:

E29C59617F8AAFCDE20E06542510C087EF1892A9

SHA256:

185B11B4952AA5A8BD4AB83B8FEADE5224AD5823F002FF2381F74E184B9F0A25

SSDEEP:

196608:+VR8YtUe4JmHP7zI58mb3YxRog8AtpH3H+2:+VftUVJm/Ik3og8MHXl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • letsvpn-latest.exe (PID: 5856)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3928)
      • powershell.exe (PID: 1224)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • letsvpn-latest.exe (PID: 5856)
      • tapinstall.exe (PID: 6448)
      • drvinst.exe (PID: 6568)
      • drvinst.exe (PID: 6604)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • letsvpn-latest.exe (PID: 5856)

    • The process creates files with name similar to system file names

      • letsvpn-latest.exe (PID: 5856)

    • Starts POWERSHELL.EXE for commands execution

      • letsvpn-latest.exe (PID: 5856)

    • Checks processor architecture

      • powershell.exe (PID: 3928)

    • Manipulates environment variables

      • powershell.exe (PID: 3928)

    • Drops a system driver (possible attempt to evade defenses)

      • letsvpn-latest.exe (PID: 5856)
      • tapinstall.exe (PID: 6448)
      • drvinst.exe (PID: 6568)
      • drvinst.exe (PID: 6604)

    • Process drops legitimate windows executable

      • letsvpn-latest.exe (PID: 5856)
      • LetsPRO.exe (PID: 6240)

    • The process executes Powershell scripts

      • letsvpn-latest.exe (PID: 5856)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 6660)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 6768)
      • cmd.exe (PID: 6984)

    • Starts CMD.EXE for commands execution

      • letsvpn-latest.exe (PID: 5856)
      • LetsPRO.exe (PID: 6240)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 6884)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 6788)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 6904)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 7076)

    • Suspicious use of NETSH.EXE

      • LetsPRO.exe (PID: 6240)

  • INFO

    • Checks supported languages

      • letsvpn-latest.exe (PID: 5856)

    • Create files in a temporary directory

      • letsvpn-latest.exe (PID: 5856)

    • Reads the computer name

      • letsvpn-latest.exe (PID: 5856)

    • Creates files in the program directory

      • letsvpn-latest.exe (PID: 5856)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 7060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
40
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start letsvpn-latest.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs tapinstall.exe no specs conhost.exe no specs letspro.exe no specs letspro.exe no specs wmiapsrv.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs arp.exe no specs netsh.exe no specs conhost.exe no specs letsvpn-latest.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exe" C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\letsvpn-latest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
492\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1224powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeletsvpn-latest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3928powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeletsvpn-latest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548C:\WINDOWS\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=noC:\Windows\SysWOW64\netsh.exeLetsPRO.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5680"C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exeletsvpn-latest.exe
User:
admin
Integrity Level:
HIGH
Description:
LetsVPN
Exit code:
0
Version:
3.5.2
Modules
Images
c:\program files (x86)\letsvpn\letspro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5856"C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exe" C:\Users\admin\AppData\Local\Temp\letsvpn-latest.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\letsvpn-latest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
19 606
Read events
19 531
Write events
60
Delete events
15

Modification events

(PID) Process:(6448) tapinstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
Operation:writeName:Owners
Value:
oem1.inf
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/tap0901.sys
Operation:writeName:Owners
Value:
oem1.inf
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Configuration
Value:
tap0901.ndi
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Manufacturer
Value:
%provider%
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:writeName:Description
Value:
%devicedescription%
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:writeName:Service
Value:
tap0901
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:writeName:ConfigScope
Value:
5
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi\Driver\Ndi
Operation:writeName:Service
Value:
tap0901
(PID) Process:(6604) drvinst.exeKey:HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi\Driver\Ndi\Interfaces
Operation:writeName:UpperRange
Value:
ndis5
Executable files
221
Suspicious files
28
Text files
23
Unknown types
4

Dropped files

PID
Process
Filename
Type
5856letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsx9B52.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
3928powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8B46660FDE91A9F4DB735DD0A82E5263
SHA256:CA07628A7D5289D040B31DE422DD237A5B3DE9179740F39BFF573A7EC019FDF5
3928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bpo5crg0.mk3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i3nbuedt.oyu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5856letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsx9B52.tmp\modern-wizard.bmpimage
MD5:7F8E1969B0874C8FB9AB44FC36575380
SHA256:076221B4527FF13C3E1557ABBBD48B0CB8E5F7D724C6B9171C6AADADB80561DD
5856letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsx9B52.tmp\modern-header.bmpimage
MD5:5ACF495828FEAE7F85E006B7774AF497
SHA256:6CFEBB59F0BA1B9F1E8D7AA6387F223A468EB2FF74A9ED3C3F4BB688C2B6455E
5856letsvpn-latest.exeC:\Users\admin\AppData\Local\Temp\nsx9B52.tmp\nsExec.dllexecutable
MD5:3D366250FCF8B755FCE575C75F8C79E4
SHA256:8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
5856letsvpn-latest.exeC:\Program Files (x86)\letsvpn\app-3.5.2\DeltaCompressionDotNet.MsDelta.dllexecutable
MD5:6EB5A461CBA6957BE4E53D8408D57809
SHA256:696F6C221387E8FB346C318456E63850BEDD416645958766E6AE32013C4F7BC2
5856letsvpn-latest.exeC:\Program Files (x86)\letsvpn\app-3.5.2\DeltaCompressionDotNet.PatchApi.dllexecutable
MD5:7DAC119CD44D302EA7B56BFE42B29C38
SHA256:F351B18C751023737AF45E5067503207023079C5260B9BB8173BF611F4CDA1A3
5856letsvpn-latest.exeC:\Program Files (x86)\letsvpn\app-3.5.2\CommunityToolkit.Mvvm.dllexecutable
MD5:9F710A9615E03883AA6B3AF05E03037D
SHA256:CDB8C60FFFDEE7E5FC5231BBC673D263C97E09742E050F939AB73AC756BA0285
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
33
DNS requests
31
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4932
svchost.exe
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2416
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4932
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2416
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5732
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
101
52.76.189.10:80
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2
unknown
whitelisted
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5660
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4932
svchost.exe
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.209.171:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.113
  • 2.16.164.112
  • 2.16.164.99
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.171
  • 2.23.209.160
  • 2.23.209.162
  • 2.23.209.154
  • 2.23.209.158
  • 2.23.209.168
  • 2.23.209.156
  • 2.23.209.167
  • 2.23.209.166
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.181
  • 2.23.209.178
  • 2.23.209.135
  • 2.23.209.133
  • 2.23.209.183
  • 2.23.209.179
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.2
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
letsvpn-latest.exe