Malware analysis Cold Turkey Micromanager Pro v1.1 Final x86 x64.rar Malicious activity

Add for printing

File name:	Cold Turkey Micromanager Pro v1.1 Final x86 x64.rar
Full analysis:	https://app.any.run/tasks/8d481316-3dad-4b99-9328-e1407138092b
Verdict:	Malicious activity
Analysis date:	January 04, 2025, 00:37:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc netreactor
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C863C61D7AA8079763C40692CC0E8774
SHA1:	D86B5F7DA357A88802901E129A5979851BB58D84
SHA256:	0D2FB5E8D0E63EE5ED158C1713B425B98C5AD4333FA53F71BCCEEF74E35982DB
SSDEEP:	98304:w+3dh/eOl0Kg7SWLQsRWeXzdfMlFAA0erLdmGO1bNIp6pj0wHR2UvBWgQVZVxc12:GNqu4DByfA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 5684)
SUSPICIOUS
- Executable content was dropped or overwritten
  - setup.exe (PID: 6748)
  - setup.tmp (PID: 6864)
  - setup.exe (PID: 6840)
- Reads security settings of Internet Explorer
  - setup.tmp (PID: 6764)
  - Cold Turkey Micromanager.exe (PID: 4504)
- Reads the Windows owner or organization settings
  - setup.tmp (PID: 6864)
- Process drops legitimate windows executable
  - setup.tmp (PID: 6864)
- Reads Microsoft Outlook installation path
  - Cold Turkey Micromanager.exe (PID: 4504)
- Reads Internet Explorer settings
  - Cold Turkey Micromanager.exe (PID: 4504)
- Executes as Windows Service
  - MMService.exe (PID: 6960)
INFO
- Manual execution by a user
  - setup.exe (PID: 6748)
  - Cold Turkey Micromanager.exe (PID: 6832)
  - Cold Turkey Micromanager.exe (PID: 4504)
  - WinRAR.exe (PID: 3552)
  - WINWORD.EXE (PID: 5000)
  - mspaint.exe (PID: 5400)
- Checks supported languages
  - setup.tmp (PID: 6764)
  - setup.exe (PID: 6748)
  - setup.tmp (PID: 6864)
  - setup.exe (PID: 6840)
  - Cold Turkey Micromanager.exe (PID: 4504)
  - MMService.exe (PID: 6960)
- Create files in a temporary directory
  - setup.exe (PID: 6748)
  - setup.exe (PID: 6840)
  - setup.tmp (PID: 6864)
- The process uses the downloaded file
  - WinRAR.exe (PID: 5684)
  - Cold Turkey Micromanager.exe (PID: 4504)
  - WINWORD.EXE (PID: 5000)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5684)
- Reads the computer name
  - setup.tmp (PID: 6764)
  - setup.tmp (PID: 6864)
  - Cold Turkey Micromanager.exe (PID: 4504)
  - MMService.exe (PID: 6960)
- Process checks computer location settings
  - setup.tmp (PID: 6764)
- Creates files in the program directory
  - setup.tmp (PID: 6864)
- Creates a software uninstall entry
  - setup.tmp (PID: 6864)
- Reads security settings of Internet Explorer
  - dllhost.exe (PID: 6312)
- Reads the machine GUID from the registry
  - Cold Turkey Micromanager.exe (PID: 4504)
- Reads Environment values
  - Cold Turkey Micromanager.exe (PID: 4504)
- Checks proxy server information
  - Cold Turkey Micromanager.exe (PID: 4504)
- Reads the software policy settings
  - Cold Turkey Micromanager.exe (PID: 4504)
- Disables trace logs
  - Cold Turkey Micromanager.exe (PID: 4504)
- .NET Reactor protector has been detected
  - Cold Turkey Micromanager.exe (PID: 4504)
- Drops encrypted VBS script (Microsoft Script Encoder)
  - WINWORD.EXE (PID: 5000)
- Sends debugging messages
  - WINWORD.EXE (PID: 5000)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	386988
UncompressedSize:	580096
OperatingSystem:	Win32
ArchivedFileName:	Cold Turkey Micromanager Pro v1.1 Final x86 x64/Crack/Cold Turkey Micromanager.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3080

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "F80F0F59-49B0-41F3-93CD-1A3CA9668D1B" "60BDA7ED-9754-4411-BBC4-C739625487E8" "5000"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3552

"C:\Program Files\WinRAR\WinRAR.exe"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4504

"C:\Program Files\Cold Turkey Micromanager\Cold Turkey Micromanager.exe"

C:\Program Files\Cold Turkey Micromanager\Cold Turkey Micromanager.exe

explorer.exe

User:

admin

Company:

Cold Turkey Software

Integrity Level:

HIGH

Description:

Cold Turkey Micromanager

Version:

1.0.0.0

Modules

Images
c:\program files\cold turkey micromanager\cold turkey micromanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5000

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\somethingless.rtf" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll

5400

"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\similarpractice.png"

C:\Windows\System32\mspaint.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Paint

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

5684

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cold Turkey Micromanager Pro v1.1 Final x86 x64.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6312

C:\WINDOWS\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

6704

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

6748

"C:\Users\admin\Desktop\Cold Turkey Micromanager Pro v1.1 Final x86 x64\setup.exe"

C:\Users\admin\Desktop\Cold Turkey Micromanager Pro v1.1 Final x86 x64\setup.exe

explorer.exe

User:

admin

Company:

Cold Turkey Software, Inc.

Integrity Level:

MEDIUM

Description:

Cold Turkey Micromanager Setup

Exit code:

Version:

Modules

Images
c:\users\admin\desktop\cold turkey micromanager pro v1.1 final x86 x64\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6764

"C:\Users\admin\AppData\Local\Temp\is-FVJ3Q.tmp\setup.tmp" /SL5="$30220,4536375,839680,C:\Users\admin\Desktop\Cold Turkey Micromanager Pro v1.1 Final x86 x64\setup.exe"

C:\Users\admin\AppData\Local\Temp\is-FVJ3Q.tmp\setup.tmp

—

setup.exe

User:

admin

Company:

Cold Turkey Software, Inc.

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-fvj3q.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

Add for printing

Total events

19 054

Read events

18 624

Write events

408

Delete events

Modification events


(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Cold Turkey Micromanager Pro v1.1 Final x86 x64.rar
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5684) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6864) setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-2E854B5B573F}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.1.0-beta
(PID) Process:	(6864) setup.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-2E854B5B573F}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\Cold Turkey Micromanager

Add for printing

Executable files

Suspicious files

172

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5684	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5684.37370\Cold Turkey Micromanager Pro v1.1 Final x86 x64\Expasyapp Latest Apps.url		url
		MD5:C918FA848E857769D87C5CE53B6693F3	SHA256:80D68FD6549AC4067BF509D4CD8293B688B65EDFF078470E00CAEE793EFB8E44
5684	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5684.37370\Cold Turkey Micromanager Pro v1.1 Final x86 x64\Crack\how2do.txt		text
		MD5:7A7C0E4C063CB965220EFA0841538BBB	SHA256:035928B844BEEE3941A301610E954593B15E030F9A382A22F73C583A993D6E02
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\is-NIR5T.tmp		executable
		MD5:6257D4A618328BBBCCC63E2DD34CE45C	SHA256:4D62C95536F88EEE447042CF4907BDE48C7F22CEBAC30F7C5AFD4748497CCDC2
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\Microsoft.Toolkit.Uwp.Notifications.dll		executable
		MD5:64D834CD4FE9028027E9AC134D87E135	SHA256:15F26DD94D4A813FDC215D9032BFABA4E1AC677C0F614224286E8F9D1A665A4B
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\is-02SV5.tmp		executable
		MD5:64D834CD4FE9028027E9AC134D87E135	SHA256:15F26DD94D4A813FDC215D9032BFABA4E1AC677C0F614224286E8F9D1A665A4B
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\Microsoft.Win32.TaskScheduler.dll		executable
		MD5:6257D4A618328BBBCCC63E2DD34CE45C	SHA256:4D62C95536F88EEE447042CF4907BDE48C7F22CEBAC30F7C5AFD4748497CCDC2
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\is-6IQEE.tmp		executable
		MD5:BFFD6ACF46DEEBB540C6DA0B4158EA37	SHA256:0CF696102A87CE8F94589D5F4395F86AFD75AAB4D26E97187310EF5B496F030D
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\is-367OU.tmp		executable
		MD5:1E37082BCC1368D5CB844639F7553D68	SHA256:EC75DB7DE574354401B52B8A0FE7F265AC928DCDEC6EF70D9DCD1004D24CAB5A
6864	setup.tmp	C:\Program Files\Cold Turkey Micromanager\unins000.exe		executable
		MD5:1D63BA0BFF134B408853A77A50A49FDD	SHA256:886F75A21201493D735E012C180EE98835AD4704772BDA3B25DC6C9743E03023
5684	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5684.37370\Cold Turkey Micromanager Pro v1.1 Final x86 x64\setup.exe		executable
		MD5:CF52C3127CEF5EE75C031C60FBBB27C4	SHA256:382088D00031A556B3204BF3835B0078FE158FB92A10E8E6FBE66240022B2516

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1156	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2756	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
1156	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5000	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5000	WINWORD.EXE	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
5000	WINWORD.EXE	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.23.227.215:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 2.16.164.49 2.16.164.72	whitelisted
www.microsoft.com	184.30.230.103 184.30.21.171 95.101.149.131	whitelisted
www.bing.com	2.23.227.215 2.23.227.208	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.136 40.126.32.74 40.126.32.140 20.190.160.20 40.126.32.68 20.190.160.22 40.126.32.133 40.126.32.138	unknown
go.microsoft.com	23.56.254.14	whitelisted
arc.msn.com	20.199.58.43	unknown
fd.api.iris.microsoft.com	20.199.58.43	whitelisted

Threats

No threats detected

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Cold Turkey Micromanager Pro v1.1 Final x86 x64.rar

C863C61D7AA8079763C40692CC0E8774

D86B5F7DA357A88802901E129A5979851BB58D84

0D2FB5E8D0E63EE5ED158C1713B425B98C5AD4333FA53F71BCCEEF74E35982DB

98304:w+3dh/eOl0Kg7SWLQsRWeXzdfMlFAA0erLdmGO1bNIp6pj0wHR2UvBWgQVZVxc12:GNqu4DByfA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Executes as Windows Service

INFO

Manual execution by a user

Checks supported languages

Create files in a temporary directory

The process uses the downloaded file

Executable content was dropped or overwritten

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Creates a software uninstall entry

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Reads Environment values

Checks proxy server information

Reads the software policy settings

Disables trace logs

.NET Reactor protector has been detected

Drops encrypted VBS script (Microsoft Script Encoder)

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings