| File name: | Ultimate Turbo V2.zip |
| Full analysis: | https://app.any.run/tasks/987340b7-59d8-4329-9dbe-99391777b58a |
| Verdict: | Malicious activity |
| Analysis date: | May 28, 2025, 13:52:01 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | A314F3F717A31330376ECE260555B66D |
| SHA1: | 4080EB1760F8B4AF44FA55283309111772D59DB0 |
| SHA256: | 3B6061A96B4E31509C6CC4D15AE099C02C5DEC767532665A85E09CF3DA0FB9E0 |
| SSDEEP: | 384:Flz4ZQEU15KbZWaEjhRXB80Fiqns1Sy9S4hpz3j4HK:FpWQp15daEjhRTFiseHVhpgHK |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts application with an unusual extension
- cmd.exe (PID: 7832)
- cmd.exe (PID: 7396)
- cmd.exe (PID: 4884)
- cmd.exe (PID: 4868)
Starts NET.EXE to display or manage information about active sessions
- cmd.exe (PID: 7396)
- net.exe (PID: 7336)
- net.exe (PID: 1096)
- cmd.exe (PID: 1128)
- cmd.exe (PID: 4884)
- net.exe (PID: 7756)
- cmd.exe (PID: 4776)
- net.exe (PID: 8052)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 7396)
- cmd.exe (PID: 1128)
- cmd.exe (PID: 4884)
- cmd.exe (PID: 7104)
- cmd.exe (PID: 6660)
- forfiles.exe (PID: 8064)
- forfiles.exe (PID: 4244)
- cmd.exe (PID: 8032)
- forfiles.exe (PID: 1348)
- cmd.exe (PID: 4776)
Application launched itself
- cmd.exe (PID: 7396)
- cmd.exe (PID: 1128)
- cmd.exe (PID: 4884)
- cmd.exe (PID: 7104)
- cmd.exe (PID: 8032)
- cmd.exe (PID: 6660)
- cmd.exe (PID: 4776)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7396)
- cmd.exe (PID: 4884)
Uses WMIC.EXE to obtain operating system information
- cmd.exe (PID: 7428)
- cmd.exe (PID: 5964)
- cmd.exe (PID: 5164)
- cmd.exe (PID: 5956)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 7396)
- cmd.exe (PID: 1128)
Stops a currently running service
- sc.exe (PID: 6640)
- sc.exe (PID: 7992)
- sc.exe (PID: 8064)
- sc.exe (PID: 7388)
- sc.exe (PID: 4652)
- sc.exe (PID: 7472)
- sc.exe (PID: 7524)
- sc.exe (PID: 7544)
Windows service management via SC.EXE
- sc.exe (PID: 7832)
- sc.exe (PID: 8052)
- sc.exe (PID: 6760)
- sc.exe (PID: 4728)
- sc.exe (PID: 5156)
- sc.exe (PID: 8180)
- sc.exe (PID: 5200)
- sc.exe (PID: 6572)
- sc.exe (PID: 7448)
- sc.exe (PID: 7312)
- sc.exe (PID: 7488)
- sc.exe (PID: 7528)
- sc.exe (PID: 8136)
- sc.exe (PID: 7596)
- sc.exe (PID: 7556)
- sc.exe (PID: 7400)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 1128)
- cmd.exe (PID: 4884)
- cmd.exe (PID: 4776)
- cmd.exe (PID: 4868)
Starts SC.EXE for service management
- cmd.exe (PID: 1128)
Hides command output
- cmd.exe (PID: 7104)
- cmd.exe (PID: 8032)
- cmd.exe (PID: 6660)
- cmd.exe (PID: 8180)
- cmd.exe (PID: 4012)
- powercfg.exe (PID: 7748)
- powercfg.exe (PID: 3888)
- cmd.exe (PID: 5892)
Searches and executes a command on selected files
- forfiles.exe (PID: 8064)
- forfiles.exe (PID: 4244)
- forfiles.exe (PID: 1348)
Process uses IPCONFIG to clear DNS cache
- cmd.exe (PID: 4884)
Process uses IPCONFIG to discard the IP address configuration
- cmd.exe (PID: 4884)
Process uses IPCONFIG to renew DHCP configuration
- cmd.exe (PID: 4884)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 4884)
Suspicious use of NETSH.EXE
- cmd.exe (PID: 4884)
- cmd.exe (PID: 4776)
Uses powercfg.exe to modify the power settings
- cmd.exe (PID: 4012)
- cmd.exe (PID: 5892)
INFO
Manual execution by a user
- cmd.exe (PID: 7832)
- regedit.exe (PID: 2504)
- regedit.exe (PID: 8176)
- regedit.exe (PID: 4008)
- regedit.exe (PID: 3888)
- regedit.exe (PID: 5008)
- regedit.exe (PID: 4988)
- regedit.exe (PID: 1660)
- regedit.exe (PID: 1676)
- regedit.exe (PID: 2148)
- regedit.exe (PID: 5244)
- cmd.exe (PID: 7396)
- cmd.exe (PID: 1128)
- cmd.exe (PID: 4884)
- notepad.exe (PID: 7612)
- cmd.exe (PID: 4776)
- cmd.exe (PID: 4868)
Changes the display of characters in the console
- cmd.exe (PID: 7832)
- cmd.exe (PID: 7396)
- cmd.exe (PID: 4884)
- cmd.exe (PID: 4868)
Checks supported languages
- chcp.com (PID: 7896)
- chcp.com (PID: 7344)
Create files in a temporary directory
- reg.exe (PID: 7612)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 3956)
- WMIC.exe (PID: 6576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2025:05:25 15:19:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Ultimate Turbo V2/ |
Total processes
712
Monitored processes
567
Malicious processes
4
Suspicious processes
6
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 132 | /c del /q /f "C:\WINDOWS\Prefetch\SIHOST.EXE-2C4C53BA.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 208 | /c echo "SETUP.EXE-02E2ADB1.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 232 | /c echo "RUNDLL32.EXE-D818865A.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 236 | /c echo "AgGlFaultHistory.db" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 236 | /c del /q /f "C:\WINDOWS\Prefetch\CHROME.EXE-5A1054B1.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 236 | /c del /q /f "C:\WINDOWS\Prefetch\SKYPE.EXE-72459440.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 300 | /c echo "SVCHOST.EXE-62975899.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 444 | /c del /q /f "C:\WINDOWS\Prefetch\CHROME.EXE-5A1054B0.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 456 | /c echo "DLLHOST.EXE-041F1888.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
| 496 | /c echo "RUNTIMEBROKER.EXE-D128F7A3.pf" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||
Total events
16 934
Read events
16 809
Write events
89
Delete events
36
Modification events
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Ultimate Turbo V2.zip | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
| (PID) Process: | (1276) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
0
Suspicious files
0
Text files
59
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\remove-ini-programs.bat | text | |
MD5:45C4E1D98773182A5C3E74F2F5B29197 | SHA256:CC073D2F6E507F82AEA27C67449538BC3211CBF3A372AF894CC96B89AC17196B | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\Backup-Point.bat | text | |
MD5:24C6E42357AA75F8F0F798ED02FB5E61 | SHA256:0DC7387B5E3B38EAF171281D076334ABCCF98CCF2A82805E83404006349156DC | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\0-Não mexa nessa pasta.txt | text | |
MD5:3ABE77D01D03FB2EA0B20CACB2F542E1 | SHA256:40C4560C41A2B37355EC20C3E1C7FB96FEF0FCC455FA1A721AF549C101481206 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\1-Tutorial pt-br.txt | text | |
MD5:35C957DAE2C32C5FFE0B57CCC8ED03C2 | SHA256:B36EEEA26F0F03B474FF4AAAD5BED9952F9A224D44F0A593778F7A41B0233DF1 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\1-Tutorial en.txt | text | |
MD5:D71DC3DD9B04F709AA9E9AA680650F0D | SHA256:265F846008B3CDBD2501642149A5D75A4B15DDFC75BFF08064AE27DADDF1904C | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\0-Startup\Program-Uninstall.bat | text | |
MD5:9956650A570EF6F238FFD78D1DB48A80 | SHA256:FE7C8A4C3120291B779DA7A320DCFC58A7A9BAA7E274EC583B7AD511B14119C9 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\1-Bat Optimizations\1-Windows-Settings.bat | text | |
MD5:1A774CE6DE5135B0F0F9954DAC3D2794 | SHA256:94C45602E0D6C540B9AC73F11898E8FA3AD2C2C73C23B5B308D1DA09B434B258 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\1-Bat Optimizations\2-Advanced Reg Fixes.bat | text | |
MD5:D52FE5B33ADD90AF89EF3FE8C6BDB7E4 | SHA256:F554384ADA1B9D1406EBA8C423D87E068255160379DE9FFA11581FAA2E1F8757 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\2-Reg fixes\GameDVR Disabler.reg | text | |
MD5:F5BCE6945FD6182CE094E7E373DBEFF5 | SHA256:6E1EDC9828C4CC285F8AEC34C40BCAF529E7391E90F7CA1722DDFAF6ABB5C327 | |||
| 1276 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1276.14482\Ultimate Turbo V2\2-Reg fixes\Better Gpu - No network throttle.reg | text | |
MD5:75B6E988B14334521116D0932B9EE73F | SHA256:834DA0A7EB4634C21F504EA2B7DF24E822C1F131FCA6281305CFD1DF8D7909CA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2616 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2112 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.32.133:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |