23a32b9db00c74b0440132fd6dfd0a2b5f9f522b13f59b491c4bbf98070cddf2

Analysis

max time kernel
123s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cold_Turkey_Installer.exe
Size

7.5MB
MD5

eaa0f3ddd71db24c3a64ecf58e40da52
SHA1

eacdae7c9af8ff3be6be93e83a8dbf1a101b823a
SHA256

23a32b9db00c74b0440132fd6dfd0a2b5f9f522b13f59b491c4bbf98070cddf2
SHA512

8a401d476cfb55798d18677023b067cd6a6c642476bd7c496a3b8641794e0e71436f48944f79381b4eaed29c4bfc12d8a1aa706c58826bcbdcf2048011b2b166
SSDEEP

196608:4o+vdaNLCT/KooJh54K+SSz2G/yQ6Owc0DTmpciZ:4plaNLc/KtJhCK1qKQTw7m9

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5072	netsh.exe
540	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Cold_Turkey_Installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ServiceHub.Helper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Cold Turkey Blocker.exe

Executes dropped EXE 10 IoCs

pid	Process
3656	Cold_Turkey_Installer.tmp
1276	_setup64.tmp
5044	CTServiceInstaller.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
4984	Cold Turkey Blocker.exe
2716	Cold Turkey Blocker.exe
2332	CTHostInstaller.exe
5432	CTServiceInstaller.exe
6128	CTServiceInstaller.exe

Loads dropped DLL 9 IoCs

pid	Process
5044	CTServiceInstaller.exe
5044	CTServiceInstaller.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
4984	Cold Turkey Blocker.exe
5432	CTServiceInstaller.exe
5432	CTServiceInstaller.exe
6128	CTServiceInstaller.exe
6128	CTServiceInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTServiceInstaller.exe.log	CTServiceInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-DVNH7.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-GVVQ4.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\moment\is-1LK5I.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\licenses\is-MFHCJ.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-K0KPR.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\img\is-E9JGJ.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-ROI24.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-6PEIE.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-ESMF9.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\is-JFMQG.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\is-VDB9A.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-2F3AA.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-CVRKH.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\themes\is-1F6N0.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-3VNR7.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-95UJ3.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\fonts\is-VVFHI.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-1CR4N.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\less\is-1APS6.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-SMH65.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-NGHFI.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-90O78.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-JS42F.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\unins000.dat	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-SBUUO.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-VJVTV.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-DFKBJ.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-36N56.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-II83C.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\is-L3N77.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-AH1IU.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-bez\is-J4770.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\themes\is-LQLB6.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-U3RVU.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\x64\is-IIIRM.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-I8L0L.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-RP6S5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\img\is-71OVF.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\is-HM6NL.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-Q3AEF.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\licenses\is-MT5MN.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-4HMFD.tmp	Cold_Turkey_Installer.tmp
File opened for modification	C:\Program Files\Cold Turkey\unins000.dat	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\is-L7D7F.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-R2UV3.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-TBRKT.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\scripts\is-JM09U.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-MG8Q1.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-88U6Q.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-THUE5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-RNMBU.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\less\is-772B5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\is-MF2GJ.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-5I61L.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\is-UMVPS.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\js\is-TI8J9.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\css\is-0L8T2.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-timespace\is-939F5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\scripts\is-9LN16.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\is-R1L3Q.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-NCS65.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-6TL7I.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-MRV8F.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\img\is-TM9RF.tmp	Cold_Turkey_Installer.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Cold_Turkey_Installer.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Cold Turkey Blocker.exe = "11000"	Cold_Turkey_Installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Cold_Turkey_Installer.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Cold Turkey Blocker.exe = "1"	Cold_Turkey_Installer.tmp
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	Cold Turkey Blocker.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Mozilla\Firefox	ServiceHub.Power.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	ServiceHub.Power.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133707100577198098"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Mozilla\Firefox	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ServiceHub.Power.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Mozilla	ServiceHub.Power.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	ServiceHub.Power.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
1872	chrome.exe
1872	chrome.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
1352	ServiceHub.Power.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
1352	ServiceHub.Power.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe
2728	ServiceHub.Helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1352	ServiceHub.Power.exe
Token: SeDebugPrivilege	2728	ServiceHub.Helper.exe
Token: SeDebugPrivilege	4984	Cold Turkey Blocker.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3656	Cold_Turkey_Installer.tmp
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
4984	Cold Turkey Blocker.exe
216	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3656	3352	Cold_Turkey_Installer.exe	86
PID 3352 wrote to memory of 3656	3352	Cold_Turkey_Installer.exe	86
PID 3352 wrote to memory of 3656	3352	Cold_Turkey_Installer.exe	86
PID 3656 wrote to memory of 5072	3656	Cold_Turkey_Installer.tmp	92
PID 3656 wrote to memory of 5072	3656	Cold_Turkey_Installer.tmp	92
PID 3656 wrote to memory of 5072	3656	Cold_Turkey_Installer.tmp	92
PID 3656 wrote to memory of 540	3656	Cold_Turkey_Installer.tmp	95
PID 3656 wrote to memory of 540	3656	Cold_Turkey_Installer.tmp	95
PID 3656 wrote to memory of 540	3656	Cold_Turkey_Installer.tmp	95
PID 3656 wrote to memory of 1276	3656	Cold_Turkey_Installer.tmp	97
PID 3656 wrote to memory of 1276	3656	Cold_Turkey_Installer.tmp	97
PID 3656 wrote to memory of 5044	3656	Cold_Turkey_Installer.tmp	100
PID 3656 wrote to memory of 5044	3656	Cold_Turkey_Installer.tmp	100
PID 3656 wrote to memory of 5044	3656	Cold_Turkey_Installer.tmp	100
PID 1352 wrote to memory of 2728	1352	ServiceHub.Power.exe	104
PID 1352 wrote to memory of 2728	1352	ServiceHub.Power.exe	104
PID 2728 wrote to memory of 4984	2728	ServiceHub.Helper.exe	105
PID 2728 wrote to memory of 4984	2728	ServiceHub.Helper.exe	105
PID 4984 wrote to memory of 2332	4984	Cold Turkey Blocker.exe	108
PID 4984 wrote to memory of 2332	4984	Cold Turkey Blocker.exe	108
PID 4984 wrote to memory of 1872	4984	Cold Turkey Blocker.exe	109
PID 4984 wrote to memory of 1872	4984	Cold Turkey Blocker.exe	109
PID 1872 wrote to memory of 4556	1872	chrome.exe	110
PID 1872 wrote to memory of 4556	1872	chrome.exe	110
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3672	1872	chrome.exe	111
PID 1872 wrote to memory of 3656	1872	chrome.exe	112
PID 1872 wrote to memory of 3656	1872	chrome.exe	112
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113
PID 1872 wrote to memory of 3856	1872	chrome.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\is-FFD71.tmp\Cold_Turkey_Installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FFD71.tmp\Cold_Turkey_Installer.tmp" /SL5="$70112,6950134,837632,C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=out program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=in program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\is-U1LES.tmp\_isetup\_setup64.tmp
    helper 105 0x84
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Program Files\Cold Turkey\CTServiceInstaller.exe
    "C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5044

C:\Program Files\Cold Turkey\ServiceHub.Power.exe
"C:\Program Files\Cold Turkey\ServiceHub.Power.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -first-run
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe
    "C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" -first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Program Files\Cold Turkey\CTHostInstaller.exe
      "C:\Program Files\Cold Turkey\CTHostInstaller.exe" chrome false
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getcoldturkey.com/support/extensions/chrome/
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa857acc40,0x7ffa857acc4c,0x7ffa857acc58
        5⤵
        
        PID:4556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        
        PID:3672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
        5⤵
        
        PID:3656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
        5⤵
        
        PID:3856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
        5⤵
        
        PID:1356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        
        PID:3040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4024 /prefetch:1
        5⤵
        
        PID:1216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:1
        5⤵
        
        PID:1604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:8
        5⤵
        
        PID:2796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5188,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5248 /prefetch:8
        5⤵
        
        PID:2492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4712 /prefetch:8
        5⤵
        
        PID:216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4636 /prefetch:8
        5⤵
        
        PID:548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
        5⤵
        
        PID:2672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5480,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5508 /prefetch:8
        5⤵
        
        PID:536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5476,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5792 /prefetch:1
        5⤵
        
        PID:5180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4400,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:1
        5⤵
        
        PID:5348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5676,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5500 /prefetch:8
        5⤵
        
        PID:5768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5672,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5532 /prefetch:8
        5⤵
        
        PID:5776
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5596,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5580 /prefetch:8
        5⤵
        
        PID:5904
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,1282450542278435554,11408587693508936940,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5828 /prefetch:8
        5⤵
        
        PID:5956

C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe
"C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe"
1⤵
- Executes dropped EXE
PID:2716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2172

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5432

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3950855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cold Turkey\CTHostInstaller.exe

Filesize
32KB

MD5
c2e639633d46b0f92518acd99b2cca4b

SHA1
772609c69eaba0e5c3c7b7a5f32af00f10666a78

SHA256
5e8ff71aedf36a995151309a6626fffadc51194e39ee1b9633810b752e7e59f2

SHA512
df25e6d1b1119bd119ca72984605f66330560ee964849255c1e9e97de65fd27bd5f3e68366bde2744f3e6334a77fa6e2a5ff9decd2fc250777696723c75eaa39

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostChrome.exe

Filesize
59KB

MD5
eace7acbd5a1a3884819fc2bdc0f937e

SHA1
aa20622c959488589cfce4af5fa2fb3c4a6eebf2

SHA256
4c6cd4fb3fa9252d578dcf2c10890223714a01793a9f60e1b152f3971d63b939

SHA512
bab478e3fed05c33cf1a8c4907625d404497afb9800ad5e4a305ba10bec94644eaec7d8bd6321c0363f4d9ec5590ca1df475d67feadf253a33ae3759cf13d752

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostChrome.json

Filesize
280B

MD5
9f9fef0ef707d3b2dcab79428390b9be

SHA1
bed90924387006f05cf2021ccd7cb639fe80fabc

SHA256
c304ef695bb3a6220ed56e6fd3b0539ced6ee20a90ad9d1237876b46f71d1a16

SHA512
389e5028b7811e9e26166895a1e77668960561237b42312164c8686bea2c674584288c15c8f9c8506df2173eed4c73e28aee777cb6f85567b471871f3a35b4e8

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostEdge.exe

Filesize
62KB

MD5
c1c7976bb06bc99331f175c66e2b5ea7

SHA1
de437a33fb01afc25013edca63d901dea36cd1ae

SHA256
97d1b687b92fa518e6f440141286987188ec99904cd11c0e0a207d116cdc1a18

SHA512
cdd3ed40d6a32ea2f385746434b5a165f228840c391d1e6dabcbfb999640a7f18352247e3c51128a10bfab58e8c46e11c665027ae903cccc6ad251b03843dbea

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostEdge.json

Filesize
223B

MD5
0a8af25d1f9d0a3d27c8dce58c8e4b86

SHA1
db3f1d2b9ece0ea039e0047957aec05b6c0e97d5

SHA256
6949974f9f8bc30a1eba5747b854c2f8c9b9ca0d315251830df3eb2044d9c53d

SHA512
738c60dcfaf2f1104ed88700cb4c4a3d4adc8637b353c734522ac7407eb668a5d4e166a753566171b1a4c8e22f71d77cabc39c9e2b3039357cdd4ed53c80e70b

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostFirefox.exe

Filesize
61KB

MD5
3ef5cabab4728c07de2f6c31ae24d91e

SHA1
146bbae0c12204c32ee06735e59c13edc7892b54

SHA256
7f1393cecd9bdf719b8d7d95cd4ca91d26786105b03d368f8c52f2ffc99925fe

SHA512
00be619689d823cdce777c662a03a2fb1a9dee38c95266cc76149a915d3466864290809bd0a45c7daa292d13031bd6d175198d11e646c0eccab97fe00409c1ff

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostFirefox.json

Filesize
205B

MD5
06f8a880bda481af8fde7b1e85276085

SHA1
9175ffb19c5538537b80035dc8b19790d460c4f5

SHA256
db65ef15747f119e6645381f3ef1e7f9c2f7f48b227d5b079c5ee10d64de79c6

SHA512
e5d3d867468976e835c2696da87655e58039b6b30fd38b18a3a20a0575aa3c819aa3c88b197e470b0f17ea5c27326d95c3a03c8b02fcea5ba3e324edcc8fe8cf

Download Submit
C:\Program Files\Cold Turkey\CTServiceInstaller.exe

Filesize
23KB

MD5
3fa851e3c7a2f1e48b96621b3710e502

SHA1
e795262a1ae93f4c1fbbe623a9ebc36ba1789ee9

SHA256
20a2baa9370b3367ec70c25ba4d65f4de45b9b378b8af98c55d3d255c82b5822

SHA512
87d049636db02576eb2f3ffd74ca1461627581592de59cc1120d69316d75647442806921edb1b92dbb3c39560ccdbe4db2c9ce24ca42151eeedbffc35c08e76a

Download Submit
C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe

Filesize
731KB

MD5
7a341f52bb71eddc5b755063c70b33c7

SHA1
0ba8aa6888dbf15c9933ff30309e2c25b5073d22

SHA256
98929793f99d72268dc63562ec7a9d3ce8ecacdeae5d03c0848a8fa88127ce44

SHA512
688f79272a2b2e489afac1bb987e81fa09c4e8a2bf2349bd14783c0cfe50bfa8316c0c419e834385f7b2d91e559c293326dd52f59a3769ec7a80dcc8cf70b385

Download Submit
C:\Program Files\Cold Turkey\Interop.SHDocVw.dll

Filesize
150KB

MD5
35d307bb1673d430962df027b828a550

SHA1
2afbd8ae7bd35727ae9994eb6ab8f65b5fac2f60

SHA256
a170ab0a1142eb0b45db32b8544c70cf9775bed915f87451b8a26cb542c665f6

SHA512
e1dd7fd7d653ec7d5b76ec7ae38666f71e5700f73efad341bab4b4794b5d6f48d6f11434d791d7fe852a07fa595b633683f46a3eb5b4f8c44e0c3bdde733fad0

Download Submit
C:\Program Files\Cold Turkey\Microsoft.Win32.TaskScheduler.dll

Filesize
278KB

MD5
a601795cd6d837cef1ff565ba280c631

SHA1
92e370d9cdb7b858338dd896e358ea93eac41ed0

SHA256
46b6a4d2acf1d1a6d924dbb30915f438e7ce046849e1b77842e7239819f31941

SHA512
370d00d6b8e9177d46ea803753ca72ddbaddeafb846af0dfae1b0551e1e78c6da83b3ef31e6e3caeb37fcf7f8e48effbaa0faf206d984b805455a93ed4208a24

Download Submit
C:\Program Files\Cold Turkey\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Program Files\Cold Turkey\ServiceHub.Helper.exe

Filesize
515KB

MD5
90cad1d55d961007a517526a54ecacbb

SHA1
30b126ecae4e62ee3f49507c9077a62ad708b7d2

SHA256
0fe45bbc3dc09106f73a1edbedf33472325c3107efb8c6a8e2d46372b93b40ae

SHA512
1f8e230feef5f015160d6eff6e0507c471619cc886df64a1a6f911dfb3c8efe2fc783e02f1e0b4424869be01cc52d088048e0c3eb83dbf0417e3cc97fd8ec6db

Download Submit
C:\Program Files\Cold Turkey\ServiceHub.Power.exe

Filesize
136KB

MD5
a35ad99e1d94f034d2eec967b34062b8

SHA1
21d6fd29385e41e5f02d771431e60f7f0c841995

SHA256
5dffdbd9add7442a5357ed6154fc82137159aa72435da5c6d3763bd2bcba6ad4

SHA512
1e1250237a296958f352aa5a22a5a970c7e8074a95f02faa2790b0bc318bb43dbe2d7397e20fc05197bde0f94c3d0e017d892eda15349bf021658e8eb94086d6

Download Submit
C:\Program Files\Cold Turkey\ServiceTools.dll

Filesize
8KB

MD5
1ecde58b9899d2a7037ff6e6a4e8ac69

SHA1
260979df570f6b0b64831338bcb1b57ab377a6ec

SHA256
c59484efa0618c171a0cceedc88066bd09284da9e48a67032e3342971413b731

SHA512
fae93da5c7bd7c782bec96af38c0b8a7ea94b23411a1936f60b8573acea6a199b3deaebf901e90de211825fdb11d33b0d48bcefc49aef67290fee442aad8073c

Download Submit
C:\Program Files\Cold Turkey\System.Data.SQLite.dll

Filesize
402KB

MD5
b0911d27918a1e20088b4e6b6ec29ad3

SHA1
93a285c96a4d391ea4fe6655caaa0bbf2ee52683

SHA256
24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

SHA512
518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\calendar.css

Filesize
972B

MD5
7ecac1c782867e764cc62a3dd452db8e

SHA1
86c4371ee4efb3b620a1aff1b54805148671ad58

SHA256
58cbe9e638a026ee13fa426fb598aaecc4e01377c8eb9b0b98419dc189c7380b

SHA512
45b02f61e21b27cdb78c7e084748e3456c9e2f4b20371565ad18e529901969f4c2f00cc2b1e24b6788ab43bf210aeefb9aa98626c90a6b7926bff4aba0c3ed76

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\jquery.weekcalendar.css

Filesize
5KB

MD5
52dabcd23bad85a8a2f7fe5f5fdc2827

SHA1
afc5b833bd056ae9eadc0d9d596f79967812b463

SHA256
1212e6eb66eadc859bccdd4029bfb992550a0e3f79a9daa0e3e453fb7179803f

SHA512
079cca14b325cf567b532ef1b661382209c1dc093e10a1369df88aef92d8c1ee5dc151ddcc2642e2350073270f0b4807ffa22655373886e19c31e0909eebf55b

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\reset.css

Filesize
1KB

MD5
7ccf267afc3d90bcc4b7e4ec845b540e

SHA1
8516fe30cb46057758a15e1bf0874339e1838262

SHA256
2a4e5c76ec4b580167caf521fd4a6dafaff27e19f0e0a5a40824f04a10860f5a

SHA512
4f80eb61a1267fe7bd1131f30336fa1a81b1955afa377beb9f5418b09c24f349e428dcfb362c869c5abe1deeb11a3f911f23be3e9f733cfb7bdeb65b36916fe2

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\components.css

Filesize
7KB

MD5
75bf10a1cbd3dbfb278fb3e519e9a025

SHA1
ba83d2bb589df919b6b216261d75b361ab640dd6

SHA256
4670229615be54d15100d5cc3abf180546e4f184c66ddc16afeeea041e680e62

SHA512
0efd150b55b59f000b961b37509e8ade9ec662c3f8089e9e48811dc87dbf0b4880203671c0f4452a907c64bf18bf953df2e30d23b311d590aa06c5982d9c4168

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\custom.css

Filesize
26KB

MD5
6eb5715befe459cc5e35d383d6e18986

SHA1
e4aa5da449027f962834e90649e2582aa1925794

SHA256
a2debad92be4570a1344a49c483237a75f32831b203e91df2f71bfc95871bf7e

SHA512
d9745f6e9ce408fac71f6b621d4965cd9feaac989416bb65a92b35a8115696f740d70306db82e030aaed06e3666bf46ae73e3b26ecb057ae386d268272699f26

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\layout.css

Filesize
12KB

MD5
f43425c224814458707f19f33ca3a76a

SHA1
a99ca8d71c5bb55fc5f7f5aa469f679fdb67fff6

SHA256
c700a98fa98c04f35f2aed5b1f40e1109affb9fce238c2781b48e2788ada7809

SHA512
a5626f39ad2e8dad4a852dfb0d6f7afef17ea9d1391a23ccbb5a5d0fc515692916f50471503017410c2355082f593a7b985893e175d3dc3ac419cd3b7a2a7fa6

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\plugins.css

Filesize
49KB

MD5
7ab35af9e3bc5a23653d2bf19f24dfa2

SHA1
4556fe3e33c1efe41755e41ec22d589978e774fc

SHA256
c5cb038df15325b498fbfadb48585d6b971c403b632204c2e9abe4274411347f

SHA512
ffde06980cc9b5240aae7fc596256e0ad55d4aca2c653d3da43fece2e01030c128ae449bc3a57ab74c90e2279fc9a4901c3dba5205ab294cec0c23f18f2eb015

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\themes\dark.css

Filesize
16KB

MD5
9c7dac837daf2480a4eb019f46e16bb7

SHA1
401e6e83991dbdd352f4a3479ad8985fbb088d5d

SHA256
c570d40d5a686007d74107392f2518c1ba975405cc8fb98fb0b9371bd58ca8b2

SHA512
1c4442f3fd55e9e5ed60a064481d43637bcc1499940c0f0bbde3453977de0ec8f0fd7659f3804bb8f1cdeafa46144e8c9a18dde87cff744677c0eca1d87feb10

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\themes\light.css

Filesize
16KB

MD5
66adaf46aec02cffc8f379bde9484f3c

SHA1
434100afaa8d9250ae72dfda000d1d305a6210d3

SHA256
5beafd4cf947df97016f50ca25a4244de486a54e74660d0aa1b679db846e3769

SHA512
0865a46f661853051d40f5a14d12824acd8271048477c8af761fed5acb423781b19f55f53d73dd415f72a04f8c0c8834cd9d6939fd1a04553d1101265305bfc9

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\fonts\fonts.css

Filesize
1KB

MD5
32d4e61d0951d9189574814e94bbadde

SHA1
1a4af428ef571368cef7eb548aeeed65a9c66151

SHA256
c4f2eb99e50c137e8a15ff0c5aa7e254b8aa44fe41fa9d2b0b27b81f3ead5ac3

SHA512
d7798c9559be227707703d0b15dbb0866c3b728f1d771a8a997273fd541e5c05e9bd95af79ecc80b057644f54fb9507eb4e0f751f648b62e0161b1ce11fa46f9

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\loading.gif

Filesize
714B

MD5
e8908ee10ab32cd4f2cde16f62601b5e

SHA1
7a0d5a84bad8a2d9c0c06e20dc2455192c75817a

SHA256
422b45b32ae58928a3755c3d6252dd3b48277200a2c77ce18c6752dbba79155d

SHA512
70d9479b880cffc6573fefffdb5ec1e88f3aa4e3c7c576536717642623a5c2a5dfa3819f64e12e24e69f6a445de0e90eda8ce7f24f7d17e773be822b6478e114

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\logo.png

Filesize
14KB

MD5
3b65458ed541e195186b70eaa0fd1e57

SHA1
085081628b3c34005e4649e5138b0afdf72830da

SHA256
fc3e3437e0488e9464aab1adb41dc163d6aa48d8c49d772f14e230146107b9b4

SHA512
e62bfc6dfccb5375936c9278242ca9e5e8072cdf656d661d8615f29d02754e5d320e83705168a0bb89a07419d8034b1f7112fdcdf139db92e578d1dc4b07d078

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\mario.gif

Filesize
994KB

MD5
f1ff1359097667efb5cc15549ae8f35a

SHA1
5b94d707b1a2cdafd600bcaf5d53b840331d8f3b

SHA256
45a91287ec74e1559b4aef0c169a1600243c5b848aed0234145f94951bc20ec5

SHA512
5ab71d685c6029e68312656902ef93639f7878f64d3e34d6d923f9843a1ec16d3747baf42e65e59b49b13c931869f50426de04aa3d021bdac1bb19c9738fc576

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap-datetimepicker\css\bootstrap-datetimepicker.css

Filesize
8KB

MD5
1376617545121da9a4634704da9d8d72

SHA1
1c55e3c8ad8172aa1aedef7e9ce550bec737d3bf

SHA256
ca124a8446a32ee80ea54dd30cff6bcc2e192537d77124554ffe5d8794682153

SHA512
62fa41427d10c9eb0323c9d184cf924e9fef1a8891c57f5ca2f2d02978d5c4a59dcaf7305398f23f9a549782af363befddca59b5ded9164d2628afed0488f326

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\css\bootstrap.css

Filesize
144KB

MD5
aaaa85c69e41c62628005055958348f2

SHA1
60e7fe3ad66f7f7c9bcecbe5b3f1ffbc3ae5a5cc

SHA256
30bd8d7d8b0467086f23104814a89f69fb1bd5c5f779ca2bb978806772c58cea

SHA512
96ee6e4488d10bf551d946e99fcda10607209e76a376b6268ba970f1cc321cd158c1a39c75753d06b79abb1f2baf94fa94a57fd40531f436df3a3950be686529

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\js\bootstrap.min.js

Filesize
35KB

MD5
4becdc9104623e891fbb9d38bba01be4

SHA1
6c264e0e0026ab5ece49350c6a8812398e696cbb

SHA256
4a4de7903ea62d330e17410ea4db6c22bcbeb350ac6aa402d6b54b4c0cbed327

SHA512
2b5aa343e35c1764d83bf788dcceaff0488d6197c0f79a50ba67ef715ad31edc105431be68746a2e2fc44e7dae07ed49ab062a546dcb22f766f658fa8a64bfa5

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\css\font-awesome.min.css

Filesize
30KB

MD5
269550530cc127b6aa5a35925a7de6ce

SHA1
512c7d79033e3028a9be61b540cf1a6870c896f8

SHA256
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd

SHA512
49f4e24e55fa924faa8ad7debe5ffb2e26d439e25696df6b6f20e7f766b50ea58ec3dbd61b6305a1acacd2c80e6e659accee4140f885b9c9e71008e9001fbf4b

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-alphanum\jquery.alphanum.js

Filesize
23KB

MD5
b2805b7868fa7b10d2e95c7d3b3e00bf

SHA1
b495eb8833492d377f033afda5e4b84847faf099

SHA256
6f28ab4471f90643a7e044c7a8b27cb1a354b7b177c2e11222851f7cec34352a

SHA512
c2e73d3c6ffdc3a08809df937e519bad5abe311293e7517bd1ffee41f65b84d655a5c5f307d74fc09fe862dc941cfd762cee2237a912b5cd75320346bc4064b4

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-bez\jquery.bez.min.js

Filesize
987B

MD5
37ae503648917ec7578027f9b28abc07

SHA1
eeb2ba7cb6f50c653236fd06f06f1da8146fd732

SHA256
3112a128fd08bec867bf0ee976756bab49ef5ee3c384e9f9f5fc0634425e1b5c

SHA512
c0517f586331c88d77f5cc64330346cae528fe272849b77a05bfb91db8e7b02774256062bca6a66067e273329df1fb728e58e4457971dbd6aa8a322cf93d2ec1

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-migrate.min.js

Filesize
7KB

MD5
512b871a2830e44259bc3ce3343afcd0

SHA1
875bce76a77590c3c438bbc6e014b39c23c8c88d

SHA256
c4d24f6b27cc7ceea56fbec786bb1f486fdad9a1f998f760f76d1f44671e105c

SHA512
7c31817254b71d4cac10120aa2829614311658e468036d27eb43b063b392620c4611ec3db3b3600da3e48fb82a41c5579c048fbd9022156f038b2b6cb5d946b5

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-timespace\jquery.timespace.js

Filesize
52KB

MD5
5abe75ad3dc0b16acebe545a1ee6cef2

SHA1
7e12d8deb0e120f7fcfa0210336131c836f07d94

SHA256
5a8f7a219be2d49dbc26247c93b287978c03886a53c56d0d0d977fcae14d9760

SHA512
279ec0bda5288884dd4f11e36e00344c4f21240d10111e5765aab5d21518ababac74c9c13fc63d28c0ce57bd0be40df31536d9958eeec50fc317d1f5f869eca0

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\jquery-ui.min.js

Filesize
233KB

MD5
2fd2b9b20d69c5a02614fcfcc223e6bc

SHA1
3bad15be61929f9fce8d723cc711907cd3f17f16

SHA256
2cf7b958dbcea337bd3af6106480fefbca95499d1e278c3209bc6e9a11267156

SHA512
634dc25d18d5680b50f836243c688087f4a19bb608204bac0fd5866370aae92b144d6029023e2e79ae801894b37aee7d033029c990633eb694a180fe6194fc46

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery.min.js

Filesize
93KB

MD5
00f66eada2c54b64a3f632747ce1fe2d

SHA1
a4837154098ac13ccd72e08fd25d7bcf76826986

SHA256
100a135d8e7d5ebf1fe83b0b16da1d8d8b2321acdc4d5c24a1f9a7df53b23cf1

SHA512
11220e328a367f1086d0369686d09206badfd2cce18cdbc7420b4aca9785054ad7576f156b6039444f762f6a46a58ac7cefdc0f2bf031f215f59a8d6ae8e254d

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\moment\moment-duration-format.js

Filesize
12KB

MD5
c7af43b1559f182990227fbe38bdfcf8

SHA1
47abef5ac3ed1a021593ca3180b004c0dd25f8c0

SHA256
493c18c7fe2b367e761404dbdf0825b1166b28e7f16437ecf8dbba88f9135b56

SHA512
d141f40289f1e0964b56af22dad4e961782e0e3000e0b1ff5198fa0adcbed3fcb363c255d2d7bf1b16914fff873ae0638fef2e8dbe3fafe2ea186df26e8e8da8

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\moment\moment-with-locales.min.js

Filesize
328KB

MD5
1b1c80b617bfcaf8c0766d41c4a3c680

SHA1
6319f4a7d5f345583a730ab527704ff2491a9043

SHA256
01d40df7c31566ce3812adb24f0b682ae7e19d4fae67bbf69179c3e6fab3655a

SHA512
8652e0221e279dc6f6c9ce183ed5a4e703b291c1711747c1779ac77c9eb1b002c8da4858dc7f0b6e2becc09139169cfb870b3b0890aa3b37728d61e2289625f8

Download Submit
C:\Program Files\Cold Turkey\web\index.html

Filesize
133KB

MD5
6a4509eba4abdc12faa80ca1d4870848

SHA1
24870f729ad1a63fb3f0f21b3116d08fa3577aa1

SHA256
e0723ce519d9c071bc7289606e542cf830f50abb4f096b83f657924f0270a200

SHA512
94d29428d9e822fe07c47400b89960f04ec39a7b3125676b73d7ca499f2893b8ef63d143fab3600a894fe9435098a6d84d72df9b55c75de894e3e796d6a197eb

Download Submit
C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Program Files\Cold Turkey\x86\SQLite.Interop.dll

Filesize
1.4MB

MD5
0792c1d3b4dc27c8a11be191e61f9276

SHA1
6d92350b14aa5ccccb321924215b135d2595fae9

SHA256
98b0e0e7cde328d21284687dd359e36a42d39a329d4353d3c39def990b46a18b

SHA512
126fdc341814f97fec2ed865eee7b84e4eb2888a784478f550b2fe929e088a8097c22ae888e21fd8209a8c91362ad5170aa5476d0f62962ef4d2577adbd80bf2

Download Submit
C:\ProgramData\Cold Turkey\data-app.db

Filesize
20KB

MD5
39a6dbb19cbacb19af5d40eb96b03ffc

SHA1
a262f45d67dcb00d6a1c039d2ccd8a57a96c926b

SHA256
a293e2ffe80c3dd8362c8112dee6fe27015e27b575fb00fc2263b16ebe047baf

SHA512
23e6988ac2bb5a463a6b1c31db2275f242450b2293ae8181131f334f1441f2118a8c981d17a1d0b23fc63620da184c4f1a5bbb8429b001f815f59a652318d8b4

Download Submit
C:\ProgramData\Cold Turkey\data-browser.db

Filesize
44KB

MD5
fb86a433e71c1ca0f4486f33b5a30672

SHA1
9f88be857e3c25cdc8cb02f4896b18131fc50d7b

SHA256
fcdec265073822f985ab1ea12d4086e3f85aa4422231632f1a63b3b3e39f97e5

SHA512
7afd28ff89b29de80e15f068239bd9bf36803b695362b2fd55e595f4e4e1176543578880a3f755ba4a60c85caebdcc62dd93207fc9f3a968f263845e67dc254a

Download Submit
C:\ProgramData\Cold Turkey\data-helper.db

Filesize
44KB

MD5
0fe2328c7f20af8ecf26a8c87fdff6c3

SHA1
8da9a15bbd8e0a629a5ad27dffa59b79074f5c80

SHA256
0cd00354601be6fee25ab2c69aaf096bec4ac24f20633835e2776bbd3d01fcfd

SHA512
5a44928251cc2fef7893d449813292ca5091aa9b34ee6bebc055bd20b17f7a3e5fa52b4a4b594bfef9458a3dc0d344caebb9838731d224b272abce5fcfc148f3

Download Submit
C:\ProgramData\Cold Turkey\data-service.db

Filesize
12KB

MD5
8ac7cdab563243837952f2c38ffa3248

SHA1
93c877bf65519b0b997f1f984f4e478712f9ace5

SHA256
827959e4ee628616a202809b452daf0529190a4062474fff5731035057d01eca

SHA512
2c21d3fb8d7a6db9d06d792d8b473c33607645feecc6c0c285360cdb58720935836e273987f7bfd8f8bea9e72ac43da2d3cdb37f849a6ba26b0e8df55e85b888

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-4182098368-2521458979-3782681353-1000\ReadOnly\LockScreen_W\LockScreen___1280_0720_notdimmed.jpg

Filesize
1.6MB

MD5
5641512b0154d1f085a8d9c3cef434fb

SHA1
921a13d3882774d5b038a66ade62700689cbdd3c

SHA256
0b8ca78426022d8a7189dcd3e72f72988aa1a79d91d2814415d4b212af7de777

SHA512
18d703a09932dda66d20273005051a64e2c8e9b77ae9252cd0564b172a9ae539a076330aa7c17488173aad8bcf206106d339f6b224d30f7def276e181bf0f72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4cac357bf24f523841d64a4775f0aa54

SHA1
78b550849a3899d802ec8798fac15a7401580ba9

SHA256
04e85566882a2bc4e8d6d31ceefcd36b4c0a5b3cc3885321ea274abf780ce5c2

SHA512
f9b9107b26c3ac0ae71c1a24c5e240f984663322eea15ecf6ad4d2e30cb444b78bb3da3d3c9229c37ebba39061fa283f94f02376524abd7d09f02cdb632159d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
955f81af1303eabf9864362f69ff8b6a

SHA1
53f8d7192853740fa81d279b677facf90b9134bc

SHA256
4b37e7c026eb64571813cc3eabc0c499c9309cb01ab18eadc2487af81f40f216

SHA512
ca7c6f558cab9ec615c2ae887cff4a1a4a318da02fe77a3732c3f8b36705da4b5b268c6bacaa93dcdbd78ebc305c3f7a3944047a855d7b9c98eabade329d3cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
86KB

MD5
a74f25841b460c95ef310567d20162e7

SHA1
332b97b3552eed51c0262da3c1d2a851a256f262

SHA256
84035f1b781c8fa2abdd2841c8800c966ba40977f337e067db9db0730b0ddd3c

SHA512
f5e6d41bca823c2375dad4360771268af58e7cc1dd82feceb5a9f9ca556e693de44a273e9070a913c33005502999c3668ad3f79119881180a99aa14862e7ce2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
22KB

MD5
9ff6133bf05a2dfd415df25b4170cf59

SHA1
6de969a11fdda0476edc2cad872a2a004f3ac3b0

SHA256
badb1aacfc3a0ea133a9c7eb7ac88443b8f586b92f5b986d2142e2c94ed6d3ee

SHA512
b46a6e8be88b361b4c59163956398bfe3301e7e48b1d3a5ab6bc943fca97b6b8bc7f8aefb0fa36ada6616d325dbb23ba8a888a05bfd79855a7498f270b974c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
38KB

MD5
bcc11ca3762c94b904cb9ff73db34d57

SHA1
199e5590f345f6a2c9f8dc1b812279d04490548e

SHA256
c1f91e12a8da4ad4cf3a4b428a3f21586228f3fbfda5362e527224ccdc136990

SHA512
ff02d4eb65026d7c94fcc0904b61cefa2a10a4ba53d58ffc05c3a47d2da6e7faf83b43ef410309a6851bb55fdbf6016ac5adc7e4adfeb3db5bed7b0b4154f796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
41KB

MD5
0d17932e0626482afe8b6f310e47cb24

SHA1
78dd115cea950e82c6428486836b1975b6630573

SHA256
1f5b32a1afcdf9092cf1f0bb84eae0a6be1c8b4ddeb4d2fc4d271d1314aab252

SHA512
75e51a80add7329ddf91df268fe15a827931325283f15212b55a2dc41b76c1050863b0c0eecc4e7f20c069c0b8cf0c5b4e666ec9dca843c37a8e25867785edb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
70KB

MD5
7c1630f47588309b9783661b00986635

SHA1
ec97aa5b0c6053114708593fa1692ffd49165e63

SHA256
529548ebf01923fd62e4f6eb180da4b6a974d0df157d10084fa7570dbb53fe66

SHA512
02d57ea5c66178f3e37e59806ac751e35985aa51417316dc1474ca8cf73491e08cfd7760f3c4a620c2052f9380df5909fdcb6ffca5989e5f83852764ff793c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
7002ac573be8949280cfde366634abab

SHA1
1e7220102b723b742c26643d88356c9ffc9d7332

SHA256
2d0a64dbff41c4df2130efb8811ee43b606116137377a4bcb8d9565d8f6f7ba5

SHA512
97f71666d28e7ef08e210489eab4963e4f10f89577b2d77c6d106d991e37956d8564b84a71c66c7dceb7ed87463febcf4731601d4c57af8915e4929ca176bca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b59400ebc959ba6f76552a20fc665a08

SHA1
0ea1c5cad71a669269c758189f9cd097038c9c21

SHA256
0b1b4af3ee7e18ffa1ebf84ac885e609ae252d8c3f2befdeb4090dc82be4a3a2

SHA512
157fbbb161c30f1ab71119b8e64da5e33ce823fd26dd484416e3151eb5c17278d185194a0aa94826bc27de55900d656772cb94033fc8e3601946a639b36f5d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0448fdeb9afb0ee1901a71614fd75392

SHA1
769bba4b5563ebe4fb3473eb96f61759d27d5688

SHA256
1699ec1ebdf8f65801bf63c11979330c5d62b5b2432f7a3533c2fc0af867edac

SHA512
2d545c67c995c0356232ec1a56120d308e19e21ebd000304037a432aef4bf2c3e6721b2fa146e2950390d779176ad96442f7284b7575a259d3f3ec9c48d548af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
2706194a93a0839d8ad98fe317089219

SHA1
947fc0fb0fc67f94ce23c368ecfe69c65deb8a88

SHA256
dbe2d5d57baed838c42470f86ce1b6c5f3d5a61c06daa092a306803209f1a994

SHA512
e1757e1702c4cd3184d03d161c96958219bc320e56830980ba95cab15987e8dbd69945254272e14619d3332150d3329c8d87d605684c8815ec84a29d5fe7237f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e5de12168b02a9513ab7a2d8047e10f

SHA1
2d83cfa0045ec0332976bb3acea852bc50277572

SHA256
1ba7f81da6008a7958e7251012c7ada65f36790a123e28fee8142a07abb00990

SHA512
0ca4135aad3c34bc431ad6cbe650498f060c4a1d491b576fe238fe6ff931c60c1590b3f95f173393049cb5e306c20e003f2c465885d255a568c97e5026b72e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
565b7d02e38ba42876ecded8578de0a8

SHA1
beee3081bffe95ee75a1599f0e4d0df03cd88e76

SHA256
055d567a43c7322fef30e0bafeb6cd9bb4ee7366e13f39a16fe68ed5e30e058d

SHA512
f8a029bc463ebb7e265f9507ecea030e285510579190cf03c93be5df8ed09a4d6a2cc23d743166063e0f6ed0824e1ecee004602151d2b4af634b6f8430085a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c73a791c94272424afe9df0d7c1fad99

SHA1
5312ba3bdf5b30ca7c88a32ebb6f2ab8fa45d74d

SHA256
18345d78e90f02ed43ba82b7380952ae7c062985d0b51a75dd0f4c8406a2fc75

SHA512
fa854d0418c9b390249cbcdbe03d9fd0776acef0a8c159f2de25fdab01e949c273c8b6231c35d10094aa0d3766e49b8f1114d70a7b0aa40284a0835c4e5f3cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b55ccaaf82566ade4bd3b366694660a8

SHA1
45f740a85a683a5f547bcad4d0dfcf5ae6d2f764

SHA256
5baf05e8ae1321485f5def88351f85a52e98ca470c916ce4b94aeb6ccf1db8bf

SHA512
f90cba079faa2361f1ecace8f8d655c5cea949d7464daa61a5472c3bc101d6671d643475ad1913014506b432fc86f0e736b3f22e5c0df6e55235f1c950880490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6fdf6616cf801d8bc86f592b94a5a318

SHA1
b504abd4116d5870c126c9e59c928daa400836d1

SHA256
ed8ad53066eee3b105e55e9732ce5134a08804142917e2eba45cfcfd21102f92

SHA512
d51b11b2c582dbb098090ec33ed85833e2c68127bcbedfa10c0ee105688a4ea911cbd9b859477bf897693b60cbade309a8057fe41049ef8c87e026acc5fd83d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8f65e3359a319ad5961f2f87b4d0db8

SHA1
bf48150e7a7a0f82c033687fe0cc95176f9fc207

SHA256
ad1c7f119a24058b4fcb61033192df8eabaaea3247cd28eba3bb881d4dba840a

SHA512
06f3659b0c74950713e3540adccc10217c438f953c6802eb8000bec031b2a121e91d5ec7c8ccff2dfb78b4dd05489d82cb60ff5f5fcf6f2e00d9179d8ff77445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6c289e54abdc58a341aea12ace74739c

SHA1
fffc6dae3d0bc4b9c54ae3c867cda886b0ef04fa

SHA256
60b432e804f1940f4ad87f1c1d79afd4a223febe0e14f4ef8bcde0ea4f7048b1

SHA512
fb165b56b64fd7b7918346f8bed6af4f36920f86ae7fa22a88f97f49041210e3114208ae97d7658d41a423a2ed944659c15c8fe567e93b9fcb95e28119d73126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b93da027-c9f8-4ec9-ab38-7ab59d2a8f74.tmp

Filesize
10KB

MD5
773adeb3e655df9cb4ecb9fc94ce2bcd

SHA1
01f2c0342f04108bfa594b8c66522e2816862f39

SHA256
fb3746b761cc3d74677bf8d36bdba7a0d0a437b7da65bdf8d48c8b0bc6e52d78

SHA512
590c07c46c232dc8e50df61d28e359e5c9045eb3666558c99dd3ccade9f6dfc03ba09226745551ce1a8e31000fe1e8b2ef1f35d05427b58378adea3d066015d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
f5ab08bc8fb175d2de0e7e42288a4260

SHA1
246ec53ebad259fdeaf493e793695dd9e7b615f5

SHA256
04a5f313e6be56c8f325a35ac2a474703611c06b203aa39cdf38fb7581131954

SHA512
e464b6d503c1804a7e0d5b2a1418d87a0c02bda791a786ca3fd9354562868bbea7d40af0204a31eb909aca99917b8e3283bc75eceaf495f236cd54b09a84c6f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
70f4e813cc286e5f552a003bab32184b

SHA1
aedd573fa60d0eb7a9a4fa322c6fe8a7307a2c1e

SHA256
ef55e9fa4c7279eb8121323ef96e697fe03b097f10e5d4044995629614ccda52

SHA512
f66f21fd9ccb0f16fe9fe53759383e39bd3ffc161220dd61472f7aef43e323b1b41b9bf8f883c7db866845dae9e4932c49ab95754b415a6afa4bf0c29b2b6c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FFD71.tmp\Cold_Turkey_Installer.tmp

Filesize
2.9MB

MD5
03840135bb43e6c3de3bee0724c3c187

SHA1
d2aab16c47eaf3b004671d3df045a284f1692280

SHA256
70b5fac312a869659bd0ef69a7df1ab46ad7f19f340eb659e57ca71a579da02a

SHA512
31ef538dc407aa5df2d303a77b4a56850a420e866befd58b63d5ec480027ffae14922731c97d20b1bef91c0e17f2ec148d798d318b01344cb59deb497b735e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U1LES.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
memory/1352-415-0x000001A2BA3F0000-0x000001A2BA416000-memory.dmp

Filesize
152KB

Download
memory/1352-445-0x000001A2D4CE0000-0x000001A2D4D2C000-memory.dmp

Filesize
304KB

Download
memory/1352-439-0x000001A2D4D50000-0x000001A2D4E02000-memory.dmp

Filesize
712KB

Download
memory/1352-418-0x000001A2D3530000-0x000001A2D3596000-memory.dmp

Filesize
408KB

Download
memory/1352-426-0x000001A2D4020000-0x000001A2D4046000-memory.dmp

Filesize
152KB

Download
memory/1352-425-0x000001A2D4060000-0x000001A2D409A000-memory.dmp

Filesize
232KB

Download
memory/2332-716-0x00000175C9170000-0x00000175C917A000-memory.dmp

Filesize
40KB

Download
memory/2728-443-0x00000184FC170000-0x00000184FC1F4000-memory.dmp

Filesize
528KB

Download
memory/3352-429-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3352-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3352-0-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3656-6-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/3656-424-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/4984-557-0x000001C4F85D0000-0x000001C4F85F2000-memory.dmp

Filesize
136KB

Download
memory/4984-1022-0x000001CCFA0C0000-0x000001CCFA1C0000-memory.dmp

Filesize
1024KB

Download
memory/4984-711-0x000001CCFA580000-0x000001CCFAD26000-memory.dmp

Filesize
7.6MB

Download
memory/4984-532-0x000001C4F78D0000-0x000001C4F78FC000-memory.dmp

Filesize
176KB

Download
memory/4984-1012-0x000001C480120000-0x000001C480220000-memory.dmp

Filesize
1024KB

Download
memory/4984-1013-0x000001C480120000-0x000001C480220000-memory.dmp

Filesize
1024KB

Download
memory/4984-714-0x000001CCFEF70000-0x000001CCFEFBA000-memory.dmp

Filesize
296KB

Download
memory/4984-1056-0x000001CCF8D40000-0x000001CCF8E40000-memory.dmp

Filesize
1024KB

Download
memory/4984-1027-0x000001C481F00000-0x000001C482000000-memory.dmp

Filesize
1024KB

Download
memory/4984-1026-0x000001C481F00000-0x000001C482000000-memory.dmp

Filesize
1024KB

Download
memory/4984-489-0x000001C4DB4E0000-0x000001C4DB59A000-memory.dmp

Filesize
744KB

Download
memory/5044-412-0x0000000005010000-0x0000000005018000-memory.dmp

Filesize
32KB

Download
memory/5044-405-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/5044-408-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/5044-407-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/5044-406-0x0000000005180000-0x0000000005724000-memory.dmp

Filesize
5.6MB

Download