File name:

letspro-5.2.9.zip.exe

Full analysis: https://app.any.run/tasks/5351811e-acce-4b25-8b42-8492478571d3
Verdict: Malicious activity
Analysis date: May 31, 2025, 20:16:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
lua
auto-reg
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DA64883698FBC3D8C8AB60A7386E8058

SHA1:

04FEB77D8166599D360DF1302E39B3C16AC71B8B

SHA256:

11540A90F1DC6BAD4EC1BFA3433253D0A89DA35B1195A8284AC262AF99046CCF

SSDEEP:

196608:22IPXAa3MfVmKbOkOisgbxI1VfVOuWIzU1K2zZaw8:ji8ftbOkOPgb6dOXSUFZD8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • letspro-5.2.9.zip.exe (PID: 2104)

    • Antivirus name has been found in the command line (generic signature)

      • powershell.exe (PID: 7440)

    • Changes the autorun value in the registry

      • iusb3mon.exe (PID: 8020)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 456)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • letspro-5.2.9.zip.exe (PID: 1512)
      • letsvpn-latest.exe (PID: 780)
      • irsetup.exe (PID: 1268)

    • Reads security settings of Internet Explorer

      • letspro-5.2.9.zip.exe (PID: 1512)
      • irsetup.exe (PID: 1268)

    • Get information on the list of running processes

      • irsetup.exe (PID: 1268)

    • Starts POWERSHELL.EXE for commands execution

      • irsetup.exe (PID: 1268)
      • iusb3mon.exe (PID: 8020)

    • The process drops C-runtime libraries

      • irsetup.exe (PID: 1268)

    • The process creates files with name similar to system file names

      • letsvpn-latest.exe (PID: 780)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • letsvpn-latest.exe (PID: 780)

    • Process drops legitimate windows executable

      • irsetup.exe (PID: 1268)

    • Removes files via Powershell

      • powershell.exe (PID: 4648)

    • Manipulates environment variables

      • powershell.exe (PID: 4648)

    • The process bypasses the loading of PowerShell profile settings

      • iusb3mon.exe (PID: 8020)

    • Probably obfuscated PowerShell command line is found

      • iusb3mon.exe (PID: 8020)

    • Base64-obfuscated command line is found

      • iusb3mon.exe (PID: 8020)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4648)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4648)

    • Starts CMD.EXE for commands execution

      • iusb3mon.exe (PID: 8020)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 4648)

    • There is functionality for VM detection Parallels (YARA)

      • iusb3mon.exe (PID: 8020)

    • There is functionality for VM detection VMWare (YARA)

      • iusb3mon.exe (PID: 8020)

    • There is functionality for taking screenshot (YARA)

      • letsvpn-latest.exe (PID: 780)
      • iusb3mon.exe (PID: 8020)

    • There is functionality for VM detection VirtualBox (YARA)

      • iusb3mon.exe (PID: 8020)

    • Connects to unusual port

      • iusb3mon.exe (PID: 8020)

  • INFO

    • The sample compiled with english language support

      • letspro-5.2.9.zip.exe (PID: 1512)
      • irsetup.exe (PID: 1268)

    • Process checks computer location settings

      • letspro-5.2.9.zip.exe (PID: 1512)
      • irsetup.exe (PID: 1268)

    • Reads the computer name

      • letspro-5.2.9.zip.exe (PID: 1512)
      • irsetup.exe (PID: 1268)
      • letsvpn-latest.exe (PID: 780)

    • Checks supported languages

      • letspro-5.2.9.zip.exe (PID: 1512)
      • irsetup.exe (PID: 1268)
      • iusb3mon.exe (PID: 8020)
      • letsvpn-latest.exe (PID: 780)
      • iusb3mon.exe (PID: 6560)

    • Create files in a temporary directory

      • irsetup.exe (PID: 1268)
      • letspro-5.2.9.zip.exe (PID: 1512)
      • letsvpn-latest.exe (PID: 780)
      • iusb3mon.exe (PID: 8020)
      • SecEdit.exe (PID: 7460)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 4560)
      • powershell.exe (PID: 7440)
      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 7240)
      • powershell.exe (PID: 8136)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 1268)

    • The process uses Lua

      • irsetup.exe (PID: 1268)

    • UPX packer has been detected

      • irsetup.exe (PID: 1268)
      • iusb3mon.exe (PID: 8020)

    • The sample compiled with chinese language support

      • irsetup.exe (PID: 1268)

    • Creates files in the program directory

      • irsetup.exe (PID: 1268)

    • Launch of the file from Registry key

      • iusb3mon.exe (PID: 8020)

    • Manual execution by a user

      • iusb3mon.exe (PID: 6560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:14 16:16:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 22528
InitializedDataSize: 48128
UninitializedDataSize: -
EntryPoint: 0x29e1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
29
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start letspro-5.2.9.zip.exe irsetup.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs iusb3mon.exe letsvpn-latest.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe no specs secedit.exe no specs iusb3mon.exe no specs shellexperiencehost.exe no specs slui.exe letspro-5.2.9.zip.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
456cmd.exe /c schtasks.exe /create /tn "Intel USB 3.0 eXtensible Host Controller" /xml "C:\Users\admin\AppData\Local\Temp\1200015_t.xml"C:\Windows\SysWOW64\cmd.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
780"C:\Program Files (x86)\Your Product\letsvpn-latest.exe" C:\Program Files (x86)\Your Product\letsvpn-latest.exe
irsetup.exe
User:
admin
Company:
Letsgo Network Incorporated
Integrity Level:
HIGH
Description:
LetsVPN Setup EXE
Version:
3.12.0.0
Modules
Images
c:\program files (x86)\your product\letsvpn-latest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1244"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ppid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=1512').ParentProcessId;exit $ppidC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
5492
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1268"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.zip.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
letspro-5.2.9.zip.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1512"C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.zip.exe" C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.zip.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\letspro-5.2.9.zip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2104"C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.zip.exe" C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.zip.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\letspro-5.2.9.zip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3124schtasks.exe /create /tn "Intel USB 3.0 eXtensible Host Controller" /xml "C:\Users\admin\AppData\Local\Temp\1200015_t.xml"C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
36 791
Read events
36 782
Write events
8
Delete events
1

Modification events

(PID) Process:(8020) iusb3mon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftUSBMonitor
Value:
C:\Users\admin\AppData\Local\AppData\iusb3mon.exe
(PID) Process:(8020) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftUSBMonitor
Value:
C:\Users\admin\AppData\Local\AppData\iusb3mon.exe
(PID) Process:(7460) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
(PID) Process:(8020) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(8020) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(8020) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(208) ShellExperienceHost.exeKey:\REGISTRY\A\{7f0e2a45-7213-f653-9a0a-5e24406a09ad}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000363E6AFD68D2DB01
(PID) Process:(8020) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableLockWorkstation
Value:
0
Executable files
12
Suspicious files
5
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
4560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a52d2oqa.3dw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1268irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:AC40DED6736E08664F2D86A65C47EF60
SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
7444powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bljl0uht.3ef.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1268irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
1244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qzxnpt1i.jrm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1244powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:449076F5A3DABB4A241C4D1156FC6333
SHA256:BC5EF02F74E164FA3111A51849EF931E371ABA6B429F5916C536C9BF09EBDD61
7440powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ibk5cvuh.xec.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5rdexvrq.3o3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zngs1qmx.bbo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zl0r2sjg.bci.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2416
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2416
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7504
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2416
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.132
  • 40.126.32.74
  • 20.190.160.67
  • 20.190.160.66
  • 20.190.160.2
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
jjiiee.com
  • 27.124.34.146
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
letspro-5.2.9.zip.exe