Malware analysis letsvpn-3.12.1.exe Malicious activity

Add for printing

File name:	letsvpn-3.12.1.exe
Full analysis:	https://app.any.run/tasks/8914872e-bb2f-44ca-b926-ef9e555246a3
Verdict:	Malicious activity
Analysis date:	March 11, 2025, 12:52:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	websocket
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	24CDFD07594672A081A669D65DE0676B
SHA1:	C881A264C7550858F4893710BDCE4B96BEC79C1C
SHA256:	711ACEF8D29ECECE360D6454F82E5C42BBE12F26C0CE260EC0F643750534FAEF
SSDEEP:	196608:RBVmKbekOisgbxI1VfVOuWIzU1K2zZawE:RBtbekOPgb6dOXSUFZDE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Bypass)
  - letsvpn-3.12.1.exe (PID: 7608)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6264)
SUSPICIOUS
- Executable content was dropped or overwritten
  - letsvpn-3.12.1.exe (PID: 7608)
  - tapinstall.exe (PID: 4428)
  - drvinst.exe (PID: 7836)
  - drvinst.exe (PID: 7360)
- Malware-specific behavior (creating "System.dll" in Temp)
  - letsvpn-3.12.1.exe (PID: 7608)
- There is functionality for taking screenshot (YARA)
  - letsvpn-3.12.1.exe (PID: 7608)
- Drops a system driver (possible attempt to evade defenses)
  - letsvpn-3.12.1.exe (PID: 7608)
  - tapinstall.exe (PID: 4428)
  - drvinst.exe (PID: 7836)
  - drvinst.exe (PID: 7360)
- Process drops legitimate windows executable
  - letsvpn-3.12.1.exe (PID: 7608)
- The process executes Powershell scripts
  - letsvpn-3.12.1.exe (PID: 7608)
- Starts POWERSHELL.EXE for commands execution
  - letsvpn-3.12.1.exe (PID: 7608)
- The process creates files with name similar to system file names
  - letsvpn-3.12.1.exe (PID: 7608)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 8144)
  - cmd.exe (PID: 7916)
  - cmd.exe (PID: 5384)
  - cmd.exe (PID: 1764)
- Starts CMD.EXE for commands execution
  - letsvpn-3.12.1.exe (PID: 7608)
  - LetsPRO.exe (PID: 3884)
- Uses ROUTE.EXE to obtain the routing table information
  - cmd.exe (PID: 6808)
- Process uses IPCONFIG to discover network configuration
  - cmd.exe (PID: 7488)
- Executes as Windows Service
  - WmiApSrv.exe (PID: 8108)
- Suspicious use of NETSH.EXE
  - LetsPRO.exe (PID: 3884)
- Process uses ARP to discover network configuration
  - cmd.exe (PID: 2284)
INFO
- The sample compiled with english language support
  - letsvpn-3.12.1.exe (PID: 7608)
  - tapinstall.exe (PID: 4428)
  - drvinst.exe (PID: 7360)
  - drvinst.exe (PID: 7836)
- Checks supported languages
  - letsvpn-3.12.1.exe (PID: 7608)
- Create files in a temporary directory
  - letsvpn-3.12.1.exe (PID: 7608)
- Creates files in the program directory
  - letsvpn-3.12.1.exe (PID: 7608)
- Reads the computer name
  - letsvpn-3.12.1.exe (PID: 7608)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6264)
  - LetsPRO.exe (PID: 3884)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6264)
- Prints a route via ROUTE.EXE
  - ROUTE.EXE (PID: 8152)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:30 16:55:15+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	139776
UninitializedDataSize:	2048
EntryPoint:	0x351c
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.12.1.0
ProductVersionNumber:	3.12.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Letsgo Network Incorporated
FileDescription:	LetsVPN Setup EXE
FileVersion:	3.12.1.0
LegalCopyright:	Copyright (c) 2024
ProductName:	LetsVPN
ProductVersion:	3.12.1.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

188

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

632

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

netsh advfirewall firewall Delete rule name=LetsPRO

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1568

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1764

cmd /c netsh advfirewall firewall Delete rule name=LetsVPN

C:\Windows\SysWOW64\cmd.exe

—

letsvpn-3.12.1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

tapinstall.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2284

"cmd.exe" /C arp -a

C:\Windows\SysWOW64\cmd.exe

—

LetsPRO.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2320

netsh advfirewall firewall Delete rule name=LetsPRO.exe

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2320

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3884

"C:\Program Files (x86)\letsvpn\app-3.12.1\LetsPRO.exe"

C:\Program Files (x86)\letsvpn\app-3.12.1\LetsPRO.exe

LetsPRO.exe

User:

admin

Integrity Level:

HIGH

Description:

LetsVPN

Version:

3.12.0

Modules

Images
c:\program files (x86)\letsvpn\app-3.12.1\letspro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

3896

arp -a

C:\Windows\SysWOW64\ARP.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Arp Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

47 108

Read events

46 920

Write events

164

Delete events

Modification events


(PID) Process:	(7608) letsvpn-3.12.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\lets
Operation:	write	Name:	InstallTimeStamp
Value: 20250311125235.105
(PID) Process:	(7608) letsvpn-3.12.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\lets
Operation:	write	Name:	InstallNewVersion
Value: 3.12.1
(PID) Process:	(4428) tapinstall.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
Operation:	write	Name:	Owners
Value: oem1.inf
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/tap0901.sys
Operation:	write	Name:	Owners
Value: oem1.inf
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Configuration
Value: tap0901.ndi
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Manufacturer
Value: %provider%
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Description
Value: %devicedescription%
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:	write	Name:	Service
Value: tap0901
(PID) Process:	(7360) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:	write	Name:	ConfigScope
Value: 5

Add for printing

Executable files

227

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7608	letsvpn-3.12.1.exe	C:\Users\admin\AppData\Local\Temp\nsxBC4E.tmp\modern-header.bmp		image
		MD5:5ACF495828FEAE7F85E006B7774AF497	SHA256:6CFEBB59F0BA1B9F1E8D7AA6387F223A468EB2FF74A9ED3C3F4BB688C2B6455E
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\driver\tap0901.sys		executable
		MD5:C10CCDEC5D7AF458E726A51BB3CDC732	SHA256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\driver\tap0901.cat		binary
		MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F	SHA256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
7608	letsvpn-3.12.1.exe	C:\Users\admin\AppData\Local\Temp\nsxBC4E.tmp\System.dll		executable
		MD5:192639861E3DC2DC5C08BB8F8C7260D5	SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
7608	letsvpn-3.12.1.exe	C:\Users\admin\AppData\Local\Temp\nsxBC4E.tmp\modern-wizard.bmp		image
		MD5:7F8E1969B0874C8FB9AB44FC36575380	SHA256:076221B4527FF13C3E1557ABBBD48B0CB8E5F7D724C6B9171C6AADADB80561DD
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\app-3.12.1\DeltaCompressionDotNet.dll		executable
		MD5:B6634DCB0B38617B4345A4346DA620C7	SHA256:8A397246E984B4FD51A15C5E71BD217A92061F9AEC3CB6CFCB938834E9DD4B65
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\app-3.12.1\Hardcodet.Wpf.TaskbarNotification.dll		executable
		MD5:AAA8B3FA658B9620A798082968201334	SHA256:891C29FCB32C28C74E050BFD7D31D0C4C5FB2ABC5B877A542E25CB7DAA530189
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\app-3.12.1\LetsPRO.exe		executable
		MD5:56162A01D3DE7CB90EB9A2222C6B8F24	SHA256:A41077ED210D8D454D627D15663B7523C33E6F7386CD920A56FBCFBB0A37547D
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\app-3.12.1\DeltaCompressionDotNet.PatchApi.dll		executable
		MD5:839E774D3E0B80A9C407A1269D66D11A	SHA256:ABB8794A52C85A16A4CAD28C99FEA73AE4730ED7B2F708EF58894CC1791217C9
7608	letsvpn-3.12.1.exe	C:\Program Files (x86)\letsvpn\app-3.12.1\LetsGoogleAnalytics.dll		executable
		MD5:1135A24F997D3C473BFD8105223B93F3	SHA256:0A6F43AFEC08D3BD41DA246A0AE22EFC4FB48C1788AA7890BCAC68CC22D0F780

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7940	backgroundTaskHost.exe	GET	—	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	—
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	—
1280	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	—
1280	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7940	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://crl3.digicert.com/DigiCertGlobalRootG2.crl	unknown	—	—	—
3884	LetsPRO.exe	GET	101	47.130.76.214:80	http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	unknown	—	—	whitelisted
3884	LetsPRO.exe	GET	200	151.101.194.133:80	http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDFxLOsCV0WoYXJJrOQ%3D%3D	unknown	—	—	—
3884	LetsPRO.exe	GET	200	151.101.194.133:80	http://ocsp.globalsign.com/codesigningrootr45/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEQCBTkIXoSl%2F7VrM1Bf4ka11	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	192.168.100.255:137	—	—	—	unknown
5496	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	unknown
5496	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6544	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	unknown
3216	svchost.exe	20.198.162.78:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
7940	backgroundTaskHost.exe	20.31.169.57:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142	unknown
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	unknown
login.live.com	40.126.31.67 20.190.159.64 40.126.31.69 20.190.159.4 20.190.159.68 40.126.31.1 20.190.159.131 40.126.31.128	unknown
ocsp.digicert.com	2.23.77.188	unknown
client.wns.windows.com	20.198.162.78	unknown
arc.msn.com	20.31.169.57	unknown
crl3.digicert.com	184.30.131.245	whitelisted
slscr.update.microsoft.com	52.149.20.212	unknown
www.microsoft.com	23.209.214.100	unknown
fe3cr.delivery.mp.microsoft.com	52.165.164.15	unknown

Threats

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request

Add for printing

No debug info

General Info

letsvpn-3.12.1.exe

24CDFD07594672A081A669D65DE0676B

C881A264C7550858F4893710BDCE4B96BEC79C1C

711ACEF8D29ECECE360D6454F82E5C42BBE12F26C0CE260EC0F643750534FAEF

196608:RBVmKbekOisgbxI1VfVOuWIzU1K2zZawE:RBtbekOPgb6dOXSUFZDE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

SUSPICIOUS

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

There is functionality for taking screenshot (YARA)

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

The process executes Powershell scripts

Starts POWERSHELL.EXE for commands execution

The process creates files with name similar to system file names

Uses NETSH.EXE to delete a firewall rule or allowed programs

Starts CMD.EXE for commands execution

Uses ROUTE.EXE to obtain the routing table information

Process uses IPCONFIG to discover network configuration

Executes as Windows Service

Suspicious use of NETSH.EXE

Process uses ARP to discover network configuration

INFO

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Reads the computer name

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Prints a route via ROUTE.EXE

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings