File name:

Cold_Turkey_Installer.exe

Full analysis: https://app.any.run/tasks/f5030b63-f681-4104-a21e-96bc0f764cd3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 04:16:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

DAC072A7771507F55AF0E6867BD1F4B8

SHA1:

E82D12E9C6AB234D43C525D5008B81D030215B1C

SHA256:

4E1CBA3F6D103C96CA700963498F5814839D7A32D9158CA342751BDB39EEC106

SSDEEP:

196608:/ywRuP6HZaR3m649LCMgtasNgFxlP9sy3pciX:/ywoPmaQ649LCMg8FXPtZb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Cold Turkey Blocker.exe (PID: 5980)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads the Windows owner or organization settings

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Executable content was dropped or overwritten

      • Cold_Turkey_Installer.exe (PID: 2728)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • Cold_Turkey_Installer.exe (PID: 5000)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Process drops legitimate windows executable

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Changes Internet Explorer settings (feature browser emulation)

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Executes as Windows Service

      • ServiceHub.Power.exe (PID: 5112)

    • Reads the date of Windows installation

      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Internet Explorer settings

      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Microsoft Outlook installation path

      • Cold Turkey Blocker.exe (PID: 5980)

    • The process verifies whether the antivirus software is installed

      • Cold Turkey Blocker.exe (PID: 5980)

    • The process executes via Task Scheduler

      • CTServiceInstaller.exe (PID: 8536)

  • INFO

    • Checks supported languages

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.exe (PID: 5000)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • Cold_Turkey_Installer.exe (PID: 2728)
      • _setup64.tmp (PID: 3080)
      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 648)
      • CTServiceInstaller.exe (PID: 8536)
      • CTHostInstaller.exe (PID: 3688)
      • CTHostInstaller.exe (PID: 4228)
      • identity_helper.exe (PID: 556)

    • Process checks computer location settings

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads the computer name

      • Cold_Turkey_Installer.tmp (PID: 2828)
      • Cold_Turkey_Installer.tmp (PID: 2512)
      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 648)
      • CTHostInstaller.exe (PID: 3688)
      • CTHostInstaller.exe (PID: 4228)
      • CTServiceInstaller.exe (PID: 8536)
      • identity_helper.exe (PID: 556)

    • Create files in a temporary directory

      • Cold_Turkey_Installer.exe (PID: 5000)
      • Cold_Turkey_Installer.exe (PID: 2728)
      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Creates files in the program directory

      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • The process uses the downloaded file

      • Cold_Turkey_Installer.tmp (PID: 2512)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)
      • chrome.exe (PID: 8500)
      • chrome.exe (PID: 8248)
      • chrome.exe (PID: 8256)
      • chrome.exe (PID: 8660)
      • chrome.exe (PID: 8768)
      • chrome.exe (PID: 8876)
      • chrome.exe (PID: 8884)

    • The sample compiled with english language support

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Creates a software uninstall entry

      • Cold_Turkey_Installer.tmp (PID: 2512)

    • Reads the machine GUID from the registry

      • CTServiceInstaller.exe (PID: 5728)
      • ServiceHub.Helper.exe (PID: 3144)
      • ServiceHub.Power.exe (PID: 5112)
      • Cold Turkey Blocker.exe (PID: 5980)
      • CTHostInstaller.exe (PID: 3688)
      • CTHostInstaller.exe (PID: 4228)
      • CTServiceInstaller.exe (PID: 8536)
      • CTHostInstaller.exe (PID: 648)

    • Sends debugging messages

      • ServiceHub.Power.exe (PID: 5112)
      • ServiceHub.Helper.exe (PID: 3144)
      • Cold Turkey Blocker.exe (PID: 5980)

    • Checks proxy server information

      • Cold Turkey Blocker.exe (PID: 5980)

    • Reads Environment values

      • Cold Turkey Blocker.exe (PID: 5980)
      • identity_helper.exe (PID: 556)

    • Reads the software policy settings

      • Cold Turkey Blocker.exe (PID: 5980)

    • Disables trace logs

      • Cold Turkey Blocker.exe (PID: 5980)

    • Application launched itself

      • firefox.exe (PID: 4716)
      • firefox.exe (PID: 4992)
      • chrome.exe (PID: 4500)
      • msedge.exe (PID: 644)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 4992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

ProductVersion: 4.4
ProductName: Cold Turkey Blocker
OriginalFileName:
LegalCopyright:
FileVersion:
FileDescription: Cold Turkey Blocker Setup
CompanyName: Cold Turkey Software, Inc.
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6.1
ImageVersion: 6
OSVersion: 6.1
EntryPoint: 0xb5eec
UninitializedDataSize: -
InitializedDataSize: 95232
CodeSize: 741376
LinkerVersion: 2.25
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
TimeStamp: 2020:09:13 09:00:51+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
81
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cold_turkey_installer.exe cold_turkey_installer.tmp no specs cold_turkey_installer.exe cold_turkey_installer.tmp netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs ctserviceinstaller.exe no specs servicehub.power.exe servicehub.helper.exe cold turkey blocker.exe cthostinstaller.exe no specs cthostinstaller.exe no specs cthostinstaller.exe no specs cthostinstaller.exe cthostinstaller.exe cthostinstaller.exe firefox.exe no specs firefox.exe chrome.exe msedge.exe msedge.exe no specs firefox.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ctserviceinstaller.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Users\admin\Desktop\Cold_Turkey_Installer.exe" C:\Users\admin\Desktop\Cold_Turkey_Installer.exe
explorer.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
MEDIUM
Description:
Cold Turkey Blocker Setup
Version:
Modules
Images
c:\users\admin\desktop\cold_turkey_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2828"C:\Users\admin\AppData\Local\Temp\is-HU90G.tmp\Cold_Turkey_Installer.tmp" /SL5="$B02D4,6944635,837632,C:\Users\admin\Desktop\Cold_Turkey_Installer.exe" C:\Users\admin\AppData\Local\Temp\is-HU90G.tmp\Cold_Turkey_Installer.tmpCold_Turkey_Installer.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hu90g.tmp\cold_turkey_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
5000"C:\Users\admin\Desktop\Cold_Turkey_Installer.exe" /SPAWNWND=$5030E /NOTIFYWND=$B02D4 C:\Users\admin\Desktop\Cold_Turkey_Installer.exe
Cold_Turkey_Installer.tmp
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Cold Turkey Blocker Setup
Version:
Modules
Images
c:\users\admin\desktop\cold_turkey_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2512"C:\Users\admin\AppData\Local\Temp\is-VAC8N.tmp\Cold_Turkey_Installer.tmp" /SL5="$502F6,6944635,837632,C:\Users\admin\Desktop\Cold_Turkey_Installer.exe" /SPAWNWND=$5030E /NOTIFYWND=$B02D4 C:\Users\admin\AppData\Local\Temp\is-VAC8N.tmp\Cold_Turkey_Installer.tmp
Cold_Turkey_Installer.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vac8n.tmp\cold_turkey_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2160"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=out program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allowC:\Windows\SysWOW64\netsh.exeCold_Turkey_Installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
556"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=in program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allowC:\Windows\SysWOW64\netsh.exeCold_Turkey_Installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3080helper 105 0x560C:\Users\admin\AppData\Local\Temp\is-DHG46.tmp\_isetup\_setup64.tmpCold_Turkey_Installer.tmp
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\is-dhg46.tmp\_isetup\_setup64.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\sechost.dll
5604\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_setup64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
32 208
Read events
32 134
Write events
72
Delete events
2

Modification events

(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:JustInstalled
Value:
true
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:Restarted
Value:
false
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Cold Turkey Blocker.exe
Value:
11000
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Cold Turkey Blocker.exe
Value:
1
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.1.0-beta
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Cold Turkey
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Cold Turkey\
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Cold Turkey Software
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2512) Cold_Turkey_Installer.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Language
Value:
english
Executable files
44
Suspicious files
598
Text files
325
Unknown types
8

Dropped files

PID
Process
Filename
Type
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTMsgHostChrome.jsonbinary
MD5:9F9FEF0EF707D3B2DCAB79428390B9BE
SHA256:C304EF695BB3A6220ED56E6FD3B0539CED6EE20A90AD9D1237876B46F71D1A16
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\unins000.exeexecutable
MD5:E57D9126EBA98EF808173F04B71994CF
SHA256:2C9D704D0718FABB7B80970623974193ABCDFB5DAA2E93B1F5747BA0424651B5
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTHostInstaller.exeexecutable
MD5:C2E639633D46B0F92518ACD99B2CCA4B
SHA256:5E8FF71AEDF36A995151309A6626FFFADC51194E39EE1B9633810B752E7E59F2
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTMsgHostFirefox.exeexecutable
MD5:FD021FAB39118DCD789631C2B2E48018
SHA256:FCB9B59D50544547DC298A7195DED5BB2EFC0C2F2CEA900D5F6B3EB9084D8C31
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTMsgHostEdge.jsonbinary
MD5:0A8AF25D1F9D0A3D27C8DCE58C8E4B86
SHA256:6949974F9F8BC30A1EBA5747B854C2F8C9B9CA0D315251830DF3EB2044D9C53D
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\Cold Turkey Blocker.exeexecutable
MD5:63749ED774E00D7C42697BBFF53782DA
SHA256:0E609F514B197A41F4AB88DD537F47018108E0336104F8C91168F4FDA5148420
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-7IBO2.tmpbinary
MD5:9F9FEF0EF707D3B2DCAB79428390B9BE
SHA256:C304EF695BB3A6220ED56E6FD3B0539CED6EE20A90AD9D1237876B46F71D1A16
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-287C8.tmpbinary
MD5:0A8AF25D1F9D0A3D27C8DCE58C8E4B86
SHA256:6949974F9F8BC30A1EBA5747B854C2F8C9B9CA0D315251830DF3EB2044D9C53D
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\is-IM22M.tmpexecutable
MD5:63749ED774E00D7C42697BBFF53782DA
SHA256:0E609F514B197A41F4AB88DD537F47018108E0336104F8C91168F4FDA5148420
2512Cold_Turkey_Installer.tmpC:\Program Files\Cold Turkey\CTMsgHostEdge.exeexecutable
MD5:C55065EBB92597E89927BDEFF52D7A96
SHA256:22C9B4D23F557A9BF8476910A2E5631E30CE62148506C58A5D595DA962D98460
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
265
TCP/UDP connections
172
DNS requests
142
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
34.117.188.166:443
https://contile.services.mozilla.com/v1/tiles
unknown
5208
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5208
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
101
34.107.243.93:443
https://push.services.mozilla.com/
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4992
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4992
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
GET
200
142.250.185.234:443
https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gaJwgFEAEaGwoNCAUQBhgBIgMwMDEwARD31RUaAhgJ1ShmESICIAIoARonCAEQARobCg0IARAGGAEiAzAwMTABEJz_DRoCGAnWZvpiIgIgAigBGicIAxABGhsKDQgDEAYYASIDMDAxMAEQpPYNGgIYCRiY-6YiAiACKAEaJwgHEAEaGwoNCAcQBhgBIgMwMDEwARDLxQ4aAhgJeFtrxyICIAIoARolCAkQARoZCg0ICRAGGAEiAzAwMTABECMaAhgJi9M7nSICIAIoAQ==
unknown
binary
6.90 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5208
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5208
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5208
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
getcoldturkey.com
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.112.1
  • 2606:4700:3030::6815:7001
  • 2606:4700:3030::6815:1001
  • 2606:4700:3030::6815:3001
  • 2606:4700:3030::6815:6001
  • 2606:4700:3030::6815:5001
  • 2606:4700:3030::6815:4001
  • 2606:4700:3030::6815:2001
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

No threats detected
Process
Message
ServiceHub.Power.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
ServiceHub.Helper.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Cold Turkey Blocker.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Cold_Turkey_Installer.exe