URL:

https://download.fastpull.net/file/windows-turbo/TurboVPN_setup.exe

Full analysis: https://app.any.run/tasks/d6427806-735a-4825-860f-663b66dddca3
Verdict: Malicious activity
Analysis date: December 13, 2023, 16:05:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MD5:

978D987C245CB2EBB137B82D139A7DB5

SHA1:

7978527841AC3A3299B07C50694EB9FAF3B35448

SHA256:

952F91C5364DB962AF519B90ACA4FB62114C91DCF6079B3FE85A138579465E37

SSDEEP:

3:N8SElYScA9dKWK5V6HY4A:2SK/oWuV644A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • TurboVPN_setup.exe (PID: 3528)
      • drvinst.exe (PID: 3408)
      • drvinst.exe (PID: 3800)

    • Drops the executable file immediately after the start

      • TurboVPN_setup.exe (PID: 3528)
      • drvinst.exe (PID: 3408)
      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3800)
      • TurboVPN.exe (PID: 3648)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • TurboVPN_setup.exe (PID: 3528)

    • The process creates files with name similar to system file names

      • TurboVPN_setup.exe (PID: 3528)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • TurboVPN_setup.exe (PID: 3528)

    • Checks for external IP

      • TurboVPN_setup.exe (PID: 3528)
      • TurboVPN.exe (PID: 3648)

    • Reads settings of System Certificates

      • installtapx86.exe (PID: 3516)
      • rundll32.exe (PID: 3928)
      • TurboVPN.exe (PID: 3648)

    • Process drops legitimate windows executable

      • TurboVPN_setup.exe (PID: 3528)

    • Drops a system driver (possible attempt to evade defenses)

      • TurboVPN_setup.exe (PID: 3528)
      • drvinst.exe (PID: 3408)
      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3800)

    • Reads security settings of Internet Explorer

      • installtapx86.exe (PID: 3516)
      • TurboVPN.exe (PID: 3648)

    • Checks Windows Trust Settings

      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3408)
      • drvinst.exe (PID: 3800)
      • TurboVPN.exe (PID: 3648)

    • The process drops C-runtime libraries

      • TurboVPN_setup.exe (PID: 3528)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3380)
      • turbo_vpn-service.exe (PID: 1700)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3408)
      • drvinst.exe (PID: 3800)

    • Reads the Internet Settings

      • TurboVPN.exe (PID: 3648)

    • Adds/modifies Windows certificates

      • TurboVPN.exe (PID: 3648)

    • Uses TASKKILL.EXE to kill process

      • ns298D.tmp (PID: 1004)
      • ns2A78.tmp (PID: 3496)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3048)
      • msedge.exe (PID: 4028)
      • msedge.exe (PID: 3296)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 3048)

    • Reads the computer name

      • TurboVPN_setup.exe (PID: 3528)
      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3408)
      • turbo_vpn-service.exe (PID: 1448)
      • drvinst.exe (PID: 3800)
      • turbo_vpn-service.exe (PID: 2408)
      • turbo_vpn-service.exe (PID: 1700)
      • TurboVPNLauncher.exe (PID: 2856)
      • TurboVPN.exe (PID: 3648)
      • turboconfig.exe (PID: 2788)
      • wmpnscfg.exe (PID: 3940)
      • wmpnscfg.exe (PID: 3392)

    • Checks supported languages

      • TurboVPN_setup.exe (PID: 3528)
      • ns2A78.tmp (PID: 3496)
      • ns298D.tmp (PID: 1004)
      • wmpnscfg.exe (PID: 3940)
      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3408)
      • turbo_vpn-service.exe (PID: 1448)
      • drvinst.exe (PID: 3800)
      • TurboVPNLauncher.exe (PID: 2856)
      • TurboVPN.exe (PID: 3648)
      • turbo_vpn-service.exe (PID: 1700)
      • turbo_vpn-service.exe (PID: 2408)
      • turboconfig.exe (PID: 2788)
      • wmpnscfg.exe (PID: 3392)

    • Creates files in the program directory

      • TurboVPN_setup.exe (PID: 3528)
      • turbo_vpn-service.exe (PID: 2408)
      • TurboVPNLauncher.exe (PID: 2856)
      • TurboVPN.exe (PID: 3648)
      • turbo_vpn-service.exe (PID: 1448)

    • Create files in a temporary directory

      • TurboVPN_setup.exe (PID: 3528)
      • installtapx86.exe (PID: 3516)

    • Reads the machine GUID from the registry

      • installtapx86.exe (PID: 3516)
      • drvinst.exe (PID: 3408)
      • drvinst.exe (PID: 3800)
      • TurboVPN.exe (PID: 3648)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3928)

    • Reads Environment values

      • drvinst.exe (PID: 3800)

    • Creates files or folders in the user directory

      • TurboVPN_setup.exe (PID: 3528)
      • TurboVPN.exe (PID: 3648)

    • Checks proxy server information

      • TurboVPN.exe (PID: 3648)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3392)
      • wmpnscfg.exe (PID: 3940)
      • msedge.exe (PID: 3296)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
92
Monitored processes
43
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs turbovpn_setup.exe no specs turbovpn_setup.exe ns298d.tmp no specs taskkill.exe no specs ns2a78.tmp no specs taskkill.exe no specs installtapx86.exe drvinst.exe no specs rundll32.exe no specs vssvc.exe no specs drvinst.exe no specs turbo_vpn-service.exe no specs turbo_vpn-service.exe no specs turbo_vpn-service.exe no specs turbovpnlauncher.exe no specs turbovpn.exe turboconfig.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3788 --field-trial-handle=1256,i,16617220739899546771,6468520683862065626,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
844"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1256,i,16617220739899546771,6468520683862065626,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1004"C:\Users\admin\AppData\Local\Temp\nse395.tmp\ns298D.tmp" "TASKKILL " /F /IM TurboVPN.exe /TC:\Users\admin\AppData\Local\Temp\nse395.tmp\ns298D.tmpTurboVPN_setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
Modules
Images
c:\users\admin\appdata\local\temp\nse395.tmp\ns298d.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1376"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3388 --field-trial-handle=1256,i,16617220739899546771,6468520683862065626,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1416"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6ab7f598,0x6ab7f5a8,0x6ab7f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1448"C:\Program Files\TurboVPN\turbo_vpn-service.exe" installC:\Program Files\TurboVPN\turbo_vpn-service.exeTurboVPN_setup.exe
User:
admin
Company:
Innovative Connecting
Integrity Level:
HIGH
Description:
turbo_vpn-service
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\turbovpn\turbo_vpn-service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1696"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\TurboVPN_setup.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\TurboVPN_setup.exeiexplore.exe
User:
admin
Company:
Innovative Connecting
Integrity Level:
MEDIUM
Description:
TurboVPN install package
Exit code:
3221226540
Version:
2.23.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\turbovpn_setup.exe
c:\windows\system32\ntdll.dll
1700"C:\Program Files\TurboVPN\turbo_vpn-service.exe"C:\Program Files\TurboVPN\turbo_vpn-service.exeservices.exe
User:
SYSTEM
Company:
Innovative Connecting
Integrity Level:
SYSTEM
Description:
turbo_vpn-service
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\turbovpn\turbo_vpn-service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1784"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1256,i,16617220739899546771,6468520683862065626,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1256,i,16617220739899546771,6468520683862065626,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
44 738
Read events
44 363
Write events
324
Delete events
51

Modification events

(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3048) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
57
Suspicious files
169
Text files
67
Unknown types
1

Dropped files

PID
Process
Filename
Type
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:149F92D8F6585EFDF31E87F26EE5A856
SHA256:2745F3659700C5778456CD7F7CF266166811DADFA7B3E11DCB147E30FF20D465
3048iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:9339D1A19FFCF07922CE269E8D62CE27
SHA256:6315A79C6E8A9F50040688078FE32E059EFB9A3541CE92178A49D487E43A2C9C
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7907.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
2620iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\TurboVPN_setup[1].exeexecutable
MD5:60624280783670A9797A9CCC21BE46F6
SHA256:AFFC80C6174238A486EEF136F93E77C41A3A841F26B89A6DC18DD693BFD728F2
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:7300C6FD483143A482A8F839688A7B95
SHA256:F578412426D8C018D9BD6BFBE00DBD2A771AFF244AAD508582C8F29951EFDC4B
3048iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:7875473BC66743618C61F5EB9E8FE1F0
SHA256:B858E3EE1294CF8ABF693B00F60B679072B238D175BD194E08CD7E5366EEDBF8
3528TurboVPN_setup.exeC:\Users\admin\AppData\Local\Temp\nse395.tmp\myinternet.dllexecutable
MD5:B29B3E3874823B17C11EE5DFCA740C72
SHA256:2B90122AC9259751DE7E257E61292966D649A021BA91769E7496A38CAFEC5F47
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7C672779-99D1-11EE-A826-12A9866C77DE}.datbinary
MD5:2C96F49FEF96EEF07DAC45AFC06AA65A
SHA256:2F0F8735C478A44DA04DFF5BC3ACC159D1954786B839D59650BE6CB763127C70
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
120
DNS requests
100
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
iexplore.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b27ea2cbe4dcc735
unknown
compressed
4.66 Kb
unknown
2620
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
1080
svchost.exe
GET
200
72.247.153.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5d0f3f151fb92950
unknown
compressed
65.2 Kb
unknown
3048
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
2620
iexplore.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?282a5f2988aaef25
unknown
compressed
4.66 Kb
unknown
3048
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
3528
TurboVPN_setup.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
292 b
unknown
3048
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
3048
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
3648
TurboVPN.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
292 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
2620
iexplore.exe
188.114.96.3:443
download.fastpull.net
CLOUDFLARENET
NL
unknown
4
System
192.168.100.255:138
whitelisted
2620
iexplore.exe
184.24.77.202:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2620
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1080
svchost.exe
72.247.153.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3048
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
3048
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
download.fastpull.net
  • 188.114.96.3
  • 188.114.97.3
unknown
ctldl.windowsupdate.com
  • 184.24.77.202
  • 184.24.77.193
  • 184.24.77.187
  • 184.24.77.192
  • 184.24.77.179
  • 184.24.77.173
  • 184.24.77.209
  • 184.24.77.207
  • 184.24.77.194
  • 72.247.153.178
  • 72.247.153.162
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
ip-api.com
  • 208.95.112.1
shared
go.microsoft.com
  • 2.18.97.227
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
dsl-app.s3.us-east-2.amazonaws.com
  • 52.219.101.27
  • 16.12.64.226
  • 52.219.105.146
  • 3.5.133.150
  • 52.219.101.19
  • 52.219.143.74
  • 52.219.100.128
  • 3.5.129.167
shared

Threats

PID
Process
Class
Message
3528
TurboVPN_setup.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3528
TurboVPN_setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3528
TurboVPN_setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3528
TurboVPN_setup.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3528
TurboVPN_setup.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3528
TurboVPN_setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3648
TurboVPN.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3648
TurboVPN.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3648
TurboVPN.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3648
TurboVPN.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Process
Message
TurboVPN_setup.exe
{}
installtapx86.exe
C:\Program Files\TurboVPN
installtapx86.exe
Unknow Cmd xxx
installtapx86.exe
C:\Program Files\TurboVPN\installtapx86.exe
installtapx86.exe
C:\Program Files\TurboVPN
installtapx86.exe
C:\Program Files\TurboVPN\installtapx86.exe C:\Program Files\TurboVPN /S
installtapx86.exe
C:\Program Files\TurboVPN\installtapx86.exe
installtapx86.exe
C:\Program Files\TurboVPN
installtapx86.exe
/S
installtapx86.exe
3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.fastpull.net/file/windows-turbo/TurboVPN_setup.exe