File name:

Cold_Turkey_Installer.exe

Full analysis: https://app.any.run/tasks/f5030b63-f681-4104-a21e-96bc0f764cd3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 04:16:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

DAC072A7771507F55AF0E6867BD1F4B8

SHA1:

E82D12E9C6AB234D43C525D5008B81D030215B1C

SHA256:

4E1CBA3F6D103C96CA700963498F5814839D7A32D9158CA342751BDB39EEC106

SSDEEP:

196608:/ywRuP6HZaR3m649LCMgtasNgFxlP9sy3pciX:/ywoPmaQ649LCMg8FXPtZb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Cold Turkey Blocker.exe (PID: 5980)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Executable content was dropped or overwritten

      • Cold_Turkey_Installer.exe (PID: 2728)
      • Cold_Turkey_Installer.exe (PID: 5000)
      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Reads the Windows owner or organization settings

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Process drops legitimate windows executable

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Executes as Windows Service

      • ServiceHub.Power.exe (PID: 5112)

    • Changes Internet Explorer settings (feature browser emulation)

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Reads the date of Windows installation

      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Microsoft Outlook installation path

      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Internet Explorer settings

      • Cold Turkey Blocker.exe (PID: 5980)

    • The process verifies whether the antivirus software is installed

      • Cold Turkey Blocker.exe (PID: 5980)

    • The process executes via Task Scheduler

      • CTServiceInstaller.exe (PID: 8536)

  • INFO

    • Create files in a temporary directory

      • Cold_Turkey_Installer.exe (PID: 2728)
      • Cold_Turkey_Installer.exe (PID: 5000)
      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Checks supported languages

      • Cold_Turkey_Installer.exe (PID: 2728)
      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.exe (PID: 5000)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • _setup64.tmp (PID: 3080)
      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 648)
      • CTHostInstaller.exe (PID: 4228)
      • CTHostInstaller.exe (PID: 3688)
      • CTServiceInstaller.exe (PID: 8536)
      • identity_helper.exe (PID: 556)

    • Reads the computer name

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 648)
      • CTHostInstaller.exe (PID: 3688)
      • CTServiceInstaller.exe (PID: 8536)
      • identity_helper.exe (PID: 556)
      • CTHostInstaller.exe (PID: 4228)

    • Process checks computer location settings

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • The process uses the downloaded file

      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • chrome.exe (PID: 8248)
      • chrome.exe (PID: 8256)
      • chrome.exe (PID: 8500)
      • chrome.exe (PID: 8876)
      • chrome.exe (PID: 8660)
      • chrome.exe (PID: 8768)
      • chrome.exe (PID: 8884)

    • Creates a software uninstall entry

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • The sample compiled with english language support

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Sends debugging messages

      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads the machine GUID from the registry

      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 648)
      • CTHostInstaller.exe (PID: 3688)
      • CTServiceInstaller.exe (PID: 8536)
      • CTHostInstaller.exe (PID: 4228)

    • Creates files in the program directory

      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Environment values

      • Cold Turkey Blocker.exe (PID: 5980)
      • identity_helper.exe (PID: 556)

    • Checks proxy server information

      • Cold Turkey Blocker.exe (PID: 5980)

    • Application launched itself

      • firefox.exe (PID: 4716)
      • firefox.exe (PID: 4992)
      • chrome.exe (PID: 4500)
      • msedge.exe (PID: 644)

    • Disables trace logs

      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads the software policy settings

      • Cold Turkey Blocker.exe (PID: 5980)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 4992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:09:13 09:00:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Cold Turkey Software, Inc.
FileDescription: Cold Turkey Blocker Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Cold Turkey Blocker
ProductVersion: 4.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
81
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cold_turkey_installer.exe cold_turkey_installer.tmp no specs cold_turkey_installer.exe cold_turkey_installer.tmp netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs ctserviceinstaller.exe no specs servicehub.power.exe servicehub.helper.exe cold turkey blocker.exe cthostinstaller.exe no specs cthostinstaller.exe no specs cthostinstaller.exe no specs cthostinstaller.exe cthostinstaller.exe cthostinstaller.exe firefox.exe no specs firefox.exe chrome.exe msedge.exe msedge.exe no specs firefox.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ctserviceinstaller.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=in program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allowC:\Windows\SysWOW64\netsh.exeCold_Turkey_Installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
556"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6520 --field-trial-handle=2464,i,5033635973279788465,15557532245541462664,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\bcrypt.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://getcoldturkey.com/support/extensions/edge/C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Cold Turkey Blocker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"C:\Program Files\Cold Turkey\CTHostInstaller.exe" firefox falseC:\Program Files\Cold Turkey\CTHostInstaller.exe
Cold Turkey Blocker.exe
User:
admin
Company:
Cold Turkey Software Inc.
Integrity Level:
HIGH
Description:
CTHostInstaller
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\cold turkey\cthostinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1172"C:\Program Files\Cold Turkey\CTHostInstaller.exe" firefox falseC:\Program Files\Cold Turkey\CTHostInstaller.exeCold Turkey Blocker.exe
User:
admin
Company:
Cold Turkey Software Inc.
Integrity Level:
MEDIUM
Description:
CTHostInstaller
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\program files\cold turkey\cthostinstaller.exe
c:\windows\system32\ntdll.dll
1412"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5400 --field-trial-handle=2464,i,5033635973279788465,15557532245541462664,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2812 --field-trial-handle=2464,i,5033635973279788465,15557532245541462664,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3692 --field-trial-handle=1788,i,12925730255977428220,4710836975506149247,262144 --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2160"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=out program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allowC:\Windows\SysWOW64\netsh.exeCold_Turkey_Installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2512"C:\Users\admin\AppData\Local\Temp\is-VAC8N.tmp\Cold_Turkey_Installer.tmp" /SL5="$502F6,6944635,837632,C:\Users\admin\Desktop\Cold_Turkey_Installer.exe" /SPAWNWND=$5030E /NOTIFYWND=$B02D4 C:\Users\admin\AppData\Local\Temp\is-VAC8N.tmp\Cold_Turkey_Installer.tmp
Cold_Turkey_Installer.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vac8n.tmp\cold_turkey_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
32 208
Read events
32 134
Write events
72
Delete events
2

Modification events

(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:JustInstalled
Value:
true
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:Restarted
Value:
false
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Cold Turkey Blocker.exe
Value:
11000
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Cold Turkey Blocker.exe
Value:
1
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.1.0-beta
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Cold Turkey
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Cold Turkey\
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Cold Turkey Software
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Language
Value:
english
Executable files
44
Suspicious files
598
Text files
325
Unknown types
8

Dropped files

PID
Process
Filename
Type
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\Cold Turkey Blocker.exeexecutable
MD5:63749ED774E00D7C42697BBFF53782DA
SHA256:0E609F514B197A41F4AB88DD537F47018108E0336104F8C91168F4FDA5148420
5000Cold_Turkey_Installer.exeC:\Users\admin\AppData\Local\Temp\is-VAC8N.tmp\Cold_Turkey_Installer.tmpexecutable
MD5:1558F168934A415DBC849DDAF516798E
SHA256:C366E375C2DF023E2AFEA0CC72557743A0279F69DD20C1558EF59198E042F95C
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-IM22M.tmpexecutable
MD5:63749ED774E00D7C42697BBFF53782DA
SHA256:0E609F514B197A41F4AB88DD537F47018108E0336104F8C91168F4FDA5148420
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\unins000.exeexecutable
MD5:E57D9126EBA98EF808173F04B71994CF
SHA256:2C9D704D0718FABB7B80970623974193ABCDFB5DAA2E93B1F5747BA0424651B5
2512Cold_Turkey_Installer.tmpC:\Users\admin\AppData\Local\Temp\is-DHG46.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-ERR9T.tmpexecutable
MD5:E57D9126EBA98EF808173F04B71994CF
SHA256:2C9D704D0718FABB7B80970623974193ABCDFB5DAA2E93B1F5747BA0424651B5
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-6TMBS.tmpexecutable
MD5:C2E639633D46B0F92518ACD99B2CCA4B
SHA256:5E8FF71AEDF36A995151309A6626FFFADC51194E39EE1B9633810B752E7E59F2
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTMsgHostChrome.exeexecutable
MD5:51DF1E551B43B86A09473FC5762CEBEE
SHA256:E249DF689FE9949F5DEE35C753787946F3E4C0327C1CE8E6E7DDD8B05C90FC4B
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTHostInstaller.exeexecutable
MD5:C2E639633D46B0F92518ACD99B2CCA4B
SHA256:5E8FF71AEDF36A995151309A6626FFFADC51194E39EE1B9633810B752E7E59F2
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-5FVS1.tmpexecutable
MD5:51DF1E551B43B86A09473FC5762CEBEE
SHA256:E249DF689FE9949F5DEE35C753787946F3E4C0327C1CE8E6E7DDD8B05C90FC4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
265
TCP/UDP connections
172
DNS requests
142
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5208
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5208
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
204
34.117.188.166:443
https://contile.services.mozilla.com/v1/tiles
unknown
GET
101
34.107.243.93:443
https://push.services.mozilla.com/
unknown
4992
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4992
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
GET
200
142.250.181.227:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=122
unknown
compressed
90.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5208
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5208
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5208
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
getcoldturkey.com
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.112.1
  • 2606:4700:3030::6815:7001
  • 2606:4700:3030::6815:1001
  • 2606:4700:3030::6815:3001
  • 2606:4700:3030::6815:6001
  • 2606:4700:3030::6815:5001
  • 2606:4700:3030::6815:4001
  • 2606:4700:3030::6815:2001
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

No threats detected
Process
Message
ServiceHub.Power.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
ServiceHub.Helper.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Cold Turkey Blocker.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cold_Turkey_Installer.exe