File name:

ColdT.exe

Full analysis: https://app.any.run/tasks/41b0986f-ebe1-4821-816b-cb26fb1f6cc8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 19, 2025, 07:41:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
stealer
clean
browserhooks
safe
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

B6B9403E3CABE7FCFF7A8213333E7978

SHA1:

50EECD6A7E17AB7E7E19F381C811933ABD221597

SHA256:

5636117E2137FF21D771C7DFEF1EA0776C62F34AB37541E9DB3BE09B4D820ABA

SSDEEP:

98304:0LVIF8P3n1BLHxtD59KEKjSvke2LmOtyqZ27KiX/bjyPDu/Jc4VdQv9R42iP5L1S:xlc0mC4TNgoks0S5Qzd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Cold Turkey Blocker.exe (PID: 4116)

    • Steals credentials from Web Browsers

      • Cold Turkey Blocker.exe (PID: 4116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ColdT.exe (PID: 3788)
      • ColdT.exe (PID: 3888)
      • ColdT.tmp (PID: 3460)
      • _unins.tmp (PID: 7044)
      • unins000.exe (PID: 1056)

    • Reads security settings of Internet Explorer

      • ColdT.tmp (PID: 2492)
      • ColdT.tmp (PID: 3460)
      • Cold Turkey Blocker.exe (PID: 4116)
      • ServiceHub.Helper.exe (PID: 6304)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)

    • Reads the Windows owner or organization settings

      • ColdT.tmp (PID: 3460)
      • _unins.tmp (PID: 7044)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • ColdT.tmp (PID: 3460)

    • Process drops legitimate windows executable

      • ColdT.tmp (PID: 3460)

    • Changes Internet Explorer settings (feature browser emulation)

      • ColdT.tmp (PID: 3460)

    • Executes as Windows Service

      • ServiceHub.Power.exe (PID: 5236)

    • Reads the date of Windows installation

      • ServiceHub.Helper.exe (PID: 6304)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 7008)
      • schtasks.exe (PID: 5060)

    • Reads Microsoft Outlook installation path

      • Cold Turkey Blocker.exe (PID: 4116)

    • Reads Internet Explorer settings

      • Cold Turkey Blocker.exe (PID: 4116)

    • The process verifies whether the antivirus software is installed

      • Cold Turkey Blocker.exe (PID: 4116)

    • Starts application with an unusual extension

      • unins000.exe (PID: 1056)

    • Starts itself from another location

      • unins000.exe (PID: 1056)

  • INFO

    • Create files in a temporary directory

      • ColdT.exe (PID: 3788)
      • ColdT.exe (PID: 3888)
      • ColdT.tmp (PID: 3460)
      • _unins.tmp (PID: 7044)
      • unins000.exe (PID: 1056)

    • Checks supported languages

      • ColdT.tmp (PID: 2492)
      • ColdT.exe (PID: 3888)
      • ColdT.exe (PID: 3788)
      • ColdT.tmp (PID: 3460)
      • _setup64.tmp (PID: 1180)
      • CTServiceInstaller.exe (PID: 6980)
      • ServiceHub.Power.exe (PID: 5236)
      • ServiceHub.Helper.exe (PID: 6304)
      • Cold Turkey Blocker.exe (PID: 4116)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)
      • unins000.exe (PID: 1056)
      • _unins.tmp (PID: 7044)

    • Process checks computer location settings

      • ColdT.tmp (PID: 2492)
      • ColdT.tmp (PID: 3460)
      • ServiceHub.Helper.exe (PID: 6304)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)
      • _unins.tmp (PID: 7044)

    • Reads the computer name

      • ColdT.exe (PID: 3888)
      • ColdT.tmp (PID: 2492)
      • ColdT.tmp (PID: 3460)
      • ServiceHub.Power.exe (PID: 5236)
      • CTServiceInstaller.exe (PID: 6980)
      • ServiceHub.Helper.exe (PID: 6304)
      • Cold Turkey Blocker.exe (PID: 4116)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)
      • _unins.tmp (PID: 7044)
      • unins000.exe (PID: 1056)

    • Detects InnoSetup installer (YARA)

      • ColdT.exe (PID: 3788)
      • ColdT.tmp (PID: 2492)
      • ColdT.tmp (PID: 3460)
      • ColdT.exe (PID: 3888)

    • Compiled with Borland Delphi (YARA)

      • ColdT.exe (PID: 3788)
      • ColdT.tmp (PID: 2492)
      • ColdT.exe (PID: 3888)
      • ColdT.tmp (PID: 3460)

    • Creates files in the program directory

      • ColdT.tmp (PID: 3460)
      • ServiceHub.Power.exe (PID: 5236)
      • ServiceHub.Helper.exe (PID: 6304)
      • Cold Turkey Blocker.exe (PID: 4116)

    • The sample compiled with english language support

      • ColdT.tmp (PID: 3460)

    • Creates a software uninstall entry

      • ColdT.tmp (PID: 3460)

    • Reads the machine GUID from the registry

      • CTServiceInstaller.exe (PID: 6980)
      • ServiceHub.Helper.exe (PID: 6304)
      • Cold Turkey Blocker.exe (PID: 4116)
      • ServiceHub.Power.exe (PID: 5236)
      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)

    • Checks proxy server information

      • Cold Turkey Blocker.exe (PID: 4116)
      • slui.exe (PID: 7084)

    • Reads the software policy settings

      • Cold Turkey Blocker.exe (PID: 4116)
      • slui.exe (PID: 7084)

    • Reads Environment values

      • Cold Turkey Blocker.exe (PID: 4116)

    • Disables trace logs

      • Cold Turkey Blocker.exe (PID: 4116)

    • Manual execution by a user

      • Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe (PID: 5684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:13 06:55:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 168448
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Cold Turkey Software, Inc.
FileDescription: Cold Turkey Blocker Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Cold Turkey Blocker
ProductVersion: 4.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
22
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start coldt.exe coldt.tmp no specs coldt.exe coldt.tmp slui.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs ctserviceinstaller.exe no specs servicehub.power.exe servicehub.helper.exe cold turkey blocker.exe blocker_removal_tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs unins000.exe _unins.tmp

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Program Files\Cold Turkey\unins000.exe" C:\Program Files\Cold Turkey\unins000.exe
Blocker_Removal_Tool-5cc082fd-d806-40f5-9feb-a3a5a577f67e.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\program files\cold turkey\unins000.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1180helper 105 0x4BCC:\Users\admin\AppData\Local\Temp\is-R91B9.tmp\_isetup\_setup64.tmpColdT.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-r91b9.tmp\_isetup\_setup64.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2492"C:\Users\admin\AppData\Local\Temp\is-MDDNV.tmp\ColdT.tmp" /SL5="$60346,6196696,873984,C:\Users\admin\AppData\Local\Temp\ColdT.exe" C:\Users\admin\AppData\Local\Temp\is-MDDNV.tmp\ColdT.tmpColdT.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-mddnv.tmp\coldt.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3460"C:\Users\admin\AppData\Local\Temp\is-1SVL6.tmp\ColdT.tmp" /SL5="$A0356,6196696,873984,C:\Users\admin\AppData\Local\Temp\ColdT.exe" /SPAWNWND=$A033C /NOTIFYWND=$60346 C:\Users\admin\AppData\Local\Temp\is-1SVL6.tmp\ColdT.tmp
ColdT.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1svl6.tmp\coldt.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3756"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=out program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allowC:\Windows\SysWOW64\netsh.exeColdT.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3788"C:\Users\admin\AppData\Local\Temp\ColdT.exe" C:\Users\admin\AppData\Local\Temp\ColdT.exe
explorer.exe
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
MEDIUM
Description:
Cold Turkey Blocker Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\coldt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
3888"C:\Users\admin\AppData\Local\Temp\ColdT.exe" /SPAWNWND=$A033C /NOTIFYWND=$60346 C:\Users\admin\AppData\Local\Temp\ColdT.exe
ColdT.tmp
User:
admin
Company:
Cold Turkey Software, Inc.
Integrity Level:
HIGH
Description:
Cold Turkey Blocker Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\coldt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
4116"C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" -first-runC:\Program Files\Cold Turkey\Cold Turkey Blocker.exe
ServiceHub.Helper.exe
User:
admin
Company:
Cold Turkey Software Inc.
Integrity Level:
MEDIUM
Description:
Cold Turkey Blocker
Exit code:
0
Version:
4.7.0.0
Modules
Images
c:\program files\cold turkey\cold turkey blocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_setup64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 011
Read events
5 938
Write events
51
Delete events
22

Modification events

(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:JustInstalled
Value:
true
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:writeName:Restarted
Value:
false
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Cold Turkey Blocker.exe
Value:
11000
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Cold Turkey Blocker.exe
Value:
1
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.2
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Cold Turkey
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Cold Turkey\
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Cold Turkey Software
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3460) ColdT.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:writeName:Inno Setup: Language
Value:
english
Executable files
43
Suspicious files
317
Text files
186
Unknown types
0

Dropped files

PID
Process
Filename
Type
3888ColdT.exeC:\Users\admin\AppData\Local\Temp\is-1SVL6.tmp\ColdT.tmpexecutable
MD5:0053A5649BB3DDC10B6ABFA4D75227CC
SHA256:07280184B4996EE57302EEF1DA142A4EBAB76AEDE243AA3B81805ABF2639428F
3460ColdT.tmpC:\Program Files\Cold Turkey\is-0C164.tmpexecutable
MD5:51879800C2F9046014FE89BEE55F15E1
SHA256:510DBDF4B7E1059A2141AC262D0A227D7ABB5D2D9A2B62D1258CCC503AE02407
3460ColdT.tmpC:\Program Files\Cold Turkey\is-US6BI.tmpexecutable
MD5:5D10D96DF999747598F7C1363CB0565A
SHA256:EA70AF0341DCFD7376BD890769C168208EC2B34896388CABD2B0D409ACDF6C30
3460ColdT.tmpC:\Users\admin\AppData\Local\Temp\is-R91B9.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3460ColdT.tmpC:\Program Files\Cold Turkey\CTHostInstaller.exeexecutable
MD5:B2A50D11FD396DD2ABADEF34474895AC
SHA256:5B1335C0C5DB5AA8D31FB76025BCB1DEAF92CECEC874C49ECEBD3B3DDA548A5B
3460ColdT.tmpC:\Program Files\Cold Turkey\unins000.exeexecutable
MD5:51879800C2F9046014FE89BEE55F15E1
SHA256:510DBDF4B7E1059A2141AC262D0A227D7ABB5D2D9A2B62D1258CCC503AE02407
3460ColdT.tmpC:\Program Files\Cold Turkey\CTMsgHostChrome.exeexecutable
MD5:32ED7A693763B9A4552A5DFE708E8FD4
SHA256:10E127B68EED98197FBCC8E17BB4303A79BDFBBA98C259136BC049EEB65461B3
3460ColdT.tmpC:\Program Files\Cold Turkey\is-9Q62U.tmpexecutable
MD5:B2A50D11FD396DD2ABADEF34474895AC
SHA256:5B1335C0C5DB5AA8D31FB76025BCB1DEAF92CECEC874C49ECEBD3B3DDA548A5B
3460ColdT.tmpC:\Program Files\Cold Turkey\is-S28JU.tmpbinary
MD5:0A8AF25D1F9D0A3D27C8DCE58C8E4B86
SHA256:6949974F9F8BC30A1EBA5747B854C2F8C9B9CA0D315251830DF3EB2044D9C53D
3460ColdT.tmpC:\Program Files\Cold Turkey\Cold Turkey Blocker.exeexecutable
MD5:5D10D96DF999747598F7C1363CB0565A
SHA256:EA70AF0341DCFD7376BD890769C168208EC2B34896388CABD2B0D409ACDF6C30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3504
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3504
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4060
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
4748
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6312
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.17
  • 20.190.160.65
  • 20.190.160.22
  • 20.190.160.64
  • 40.126.31.67
  • 40.126.31.69
  • 40.126.31.1
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.131
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
self.events.data.microsoft.com
  • 52.182.143.208
whitelisted

Threats

No threats detected
Process
Message
ServiceHub.Power.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
ServiceHub.Helper.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Cold Turkey Blocker.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ColdT.exe