File name:

LetsCompress.exe

Full analysis: https://app.any.run/tasks/05a66dd3-abaf-4e27-a05d-7947236d7b34
Verdict: Malicious activity
Analysis date: December 11, 2024, 02:45:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

58D6E317453F342F2385F5CDCEE5747B

SHA1:

31367BD1073D5D2E609313D99B883D0F1591AC3D

SHA256:

307AF128D05CF469817201A031D935DB0E9890E9CB56257D8B2ADBA51E2FF4F6

SSDEEP:

98304:IL0druM/vIX0pafjCHE6B5fMxNRlOqAhcNAjcXILafIKIkw3Gv2C+04k3N4slrg+:d78B7CGz19oA3VnYp9wU6yHa78K+A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 236)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LetsCompress.exe (PID: 3584)

    • Checks Windows Trust Settings

      • LetsCompress.exe (PID: 3584)

    • Executable content was dropped or overwritten

      • LetsCompress.exe (PID: 3584)

    • Process drops legitimate windows executable

      • LetsCompress.exe (PID: 3584)

    • Reads the Windows owner or organization settings

      • LetsCompress.exe (PID: 3584)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 236)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 236)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 236)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 236)

  • INFO

    • The sample compiled with english language support

      • LetsCompress.exe (PID: 3584)

    • Checks supported languages

      • LetsCompress.exe (PID: 3584)
      • msiexec.exe (PID: 4548)
      • msiexec.exe (PID: 236)

    • Reads the computer name

      • LetsCompress.exe (PID: 3584)
      • msiexec.exe (PID: 4548)
      • msiexec.exe (PID: 236)

    • Reads Environment values

      • LetsCompress.exe (PID: 3584)
      • msiexec.exe (PID: 236)

    • Reads the machine GUID from the registry

      • LetsCompress.exe (PID: 3584)

    • Creates files or folders in the user directory

      • LetsCompress.exe (PID: 3584)

    • Checks proxy server information

      • LetsCompress.exe (PID: 3584)
      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • Reads the software policy settings

      • LetsCompress.exe (PID: 3584)
      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • Create files in a temporary directory

      • msiexec.exe (PID: 236)
      • LetsCompress.exe (PID: 3584)
      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • Disables trace logs

      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 5720)

    • The process uses the downloaded file

      • powershell.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:08 12:49:22+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.36
CodeSize: 2534912
InitializedDataSize: 988160
UninitializedDataSize: -
EntryPoint: 0x1e0862
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Let's Compress
FileDescription: Let's Compress Installer
FileVersion: 1.4.0.0
InternalName: Let's Compress
LegalCopyright: Copyright (C) 2024 Let's Compress
OriginalFileName: Let's Compress.exe
ProductName: Let's Compress
ProductVersion: 1.4.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
7
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start letscompress.exe msiexec.exe no specs msiexec.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236C:\Windows\syswow64\MsiExec.exe -Embedding 3C28228D9EB9643BEB2B3037644E7B59 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3584"C:\Users\admin\Desktop\LetsCompress.exe" C:\Users\admin\Desktop\LetsCompress.exe
explorer.exe
User:
admin
Company:
Let's Compress
Integrity Level:
MEDIUM
Description:
Let's Compress Installer
Version:
1.4.0.0
Modules
Images
c:\users\admin\desktop\letscompress.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3640 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss7C3C.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi7C38.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr7C39.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr7C3A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4548C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss7509.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi74F6.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr74F7.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr74F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
13 985
Read events
13 971
Write events
14
Delete events
0

Modification events

(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
17
Suspicious files
4
Text files
26
Unknown types
2

Dropped files

PID
Process
Filename
Type
3584LetsCompress.exeC:\Users\admin\AppData\Roaming\Let's Compress\Let's Compress 1.4.0.0\install\holder0.aiph
MD5:
SHA256:
3584LetsCompress.exeC:\Users\admin\AppData\Roaming\Let's Compress\Let's Compress 1.4.0.0\install\22AED8D\Let's Compress.msiexecutable
MD5:77BEA04D70F6F5231500001585E187FF
SHA256:F7CDEB5E813B377D7D3086D5C4DA0646B9CD98E170886CBE831D38099CBE5B3E
3584LetsCompress.exeC:\Users\admin\AppData\Local\Temp\MSI7AC5.tmpexecutable
MD5:B7A6A99CBE6E762C0A61A8621AD41706
SHA256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
3584LetsCompress.exeC:\Users\admin\AppData\Local\Temp\MSI79D8.tmpexecutable
MD5:B7A6A99CBE6E762C0A61A8621AD41706
SHA256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
3584LetsCompress.exeC:\Users\admin\AppData\Local\Temp\MSI7A84.tmpexecutable
MD5:B7A6A99CBE6E762C0A61A8621AD41706
SHA256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
3584LetsCompress.exeC:\Users\admin\AppData\Local\Temp\MSI7AD6.tmpexecutable
MD5:B7A6A99CBE6E762C0A61A8621AD41706
SHA256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
3584LetsCompress.exeC:\Users\admin\AppData\Local\Temp\MSI7AA5.tmpexecutable
MD5:B7A6A99CBE6E762C0A61A8621AD41706
SHA256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
3584LetsCompress.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D343022F8C5E519322B5D9E07C403E21der
MD5:89649037833A19AA4977DC27C607F615
SHA256:BA7D59BFC8BD240974FF7577C4CABB0377D6DBFCF6DDD0537A3961AD57B06D43
3584LetsCompress.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:B7C5ACE9D50587BF3748D5E0291F27FE
SHA256:1BD1B3222E75895C14EE2C728F434A6DF3330227D0002FC8E7D15A1ADB0D9313
3584LetsCompress.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D343022F8C5E519322B5D9E07C403E21binary
MD5:6E5FA8831FFBF8B834C94572237D84E9
SHA256:15E9F6FA5033CFB9A157A49E6AC078D7DD575348494466B2D40ACAF1F0055345
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3700
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3700
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
169.150.247.37:443
https://e.letscompress.online/start
unknown
GET
200
169.150.247.38:443
https://e.letscompress.online/letscompress_next_welcome
unknown
3584
LetsCompress.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
3584
LetsCompress.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEa8nmSLUN2zOQqKig%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3700
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3700
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3700
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.185
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.145
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
e.letscompress.online
  • 169.150.247.38
unknown
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LetsCompress.exe