23a32b9db00c74b0440132fd6dfd0a2b5f9f522b13f59b491c4bbf98070cddf2

Analysis

max time kernel
481s
max time network
472s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cold_Turkey_Installer.exe
Size

7.5MB
MD5

eaa0f3ddd71db24c3a64ecf58e40da52
SHA1

eacdae7c9af8ff3be6be93e83a8dbf1a101b823a
SHA256

23a32b9db00c74b0440132fd6dfd0a2b5f9f522b13f59b491c4bbf98070cddf2
SHA512

8a401d476cfb55798d18677023b067cd6a6c642476bd7c496a3b8641794e0e71436f48944f79381b4eaed29c4bfc12d8a1aa706c58826bcbdcf2048011b2b166
SSDEEP

196608:4o+vdaNLCT/KooJh54K+SSz2G/yQ6Owc0DTmpciZ:4plaNLc/KtJhCK1qKQTw7m9

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1184	netsh.exe
4572	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Cold_Turkey_Installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ServiceHub.Helper.exe

Executes dropped EXE 42 IoCs

pid	Process
5080	Cold_Turkey_Installer.tmp
2856	_setup64.tmp
3548	CTServiceInstaller.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
4992	Cold Turkey Blocker.exe
2640	Cold Turkey Blocker.exe
3032	CTServiceInstaller.exe
3396	CTServiceInstaller.exe
1532	CTServiceInstaller.exe
464	CTServiceInstaller.exe
1700	ServiceHub.Helper.exe
4592	ServiceHub.Helper.exe
2684	ServiceHub.Helper.exe
3112	ServiceHub.Helper.exe
3608	ServiceHub.Helper.exe
112	ServiceHub.Helper.exe
2108	ServiceHub.Helper.exe
1748	ServiceHub.Helper.exe
2184	ServiceHub.Helper.exe
2420	ServiceHub.Helper.exe
4260	ServiceHub.Helper.exe
4616	ServiceHub.Helper.exe
3148	ServiceHub.Helper.exe
1272	CTServiceInstaller.exe
2508	CTServiceInstaller.exe
2428	CTServiceInstaller.exe
1192	ServiceHub.Helper.exe
3392	ServiceHub.Helper.exe
2080	ServiceHub.Helper.exe
3200	ServiceHub.Helper.exe
4568	ServiceHub.Helper.exe
1568	ServiceHub.Helper.exe
1892	ServiceHub.Helper.exe
3472	ServiceHub.Helper.exe
544	ServiceHub.Helper.exe
4356	ServiceHub.Helper.exe
4912	ServiceHub.Helper.exe
4324	ServiceHub.Helper.exe
3920	ServiceHub.Helper.exe
3872	ServiceHub.Helper.exe
3944	CTServiceInstaller.exe

Loads dropped DLL 21 IoCs

pid	Process
3548	CTServiceInstaller.exe
3548	CTServiceInstaller.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
4992	Cold Turkey Blocker.exe
3032	CTServiceInstaller.exe
3032	CTServiceInstaller.exe
3396	CTServiceInstaller.exe
3396	CTServiceInstaller.exe
1532	CTServiceInstaller.exe
1532	CTServiceInstaller.exe
464	CTServiceInstaller.exe
464	CTServiceInstaller.exe
1272	CTServiceInstaller.exe
1272	CTServiceInstaller.exe
2508	CTServiceInstaller.exe
2508	CTServiceInstaller.exe
2428	CTServiceInstaller.exe
2428	CTServiceInstaller.exe
3944	CTServiceInstaller.exe
3944	CTServiceInstaller.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTServiceInstaller.exe.log	CTServiceInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Cold Turkey\web\assets\global\css\is-P6IV2.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-M3NEQ.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-L8OT1.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-4A7HA.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-5JE2V.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-VORQ2.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-5BMHS.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap-datetimepicker\is-C434M.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-I7VB7.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-VHH4K.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-O9UJ1.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-D10SU.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-ARFGE.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\css\is-TVMO2.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-HHMK3.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-F01QS.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-timespace\is-I60LF.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\scripts\is-U0AHV.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-RTBAA.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-C3U9M.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-O4CHD.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\is-DPI8P.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-J1AQT.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-MTSSK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-3IDOK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\css\themes\is-469T5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\css\is-GIJT4.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-3MUHL.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-bez\is-CIGO2.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\x86\is-UQK10.tmp	Cold_Turkey_Installer.tmp
File opened for modification	C:\Program Files\Cold Turkey\CTMsgHostEdge.json	ServiceHub.Power.exe
File created	C:\Program Files\Cold Turkey\web\assets\calendar\scripts\is-5QKD8.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-UMQ99.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\js\is-4SAIL.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-PS7CK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-9DCNS.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-GFE9A.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-HRNBG.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-01H1F.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\is-D0JLO.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\scripts\is-LMTS5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-C8K7Q.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\images\is-SJ6FD.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-24L0T.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-2833G.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\images\is-3FM28.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\is-AM0OB.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\img\is-7652E.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\css\is-EP1FR.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\fonts\is-C16TI.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\less\is-BNJU4.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\less\is-1SPTK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-435EI.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-1K85N.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\calendar\css\is-9NJN5.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-739FD.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-MIABK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-D61EK.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\is-EJJ7D.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\fonts\is-CJHO8.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\js\is-SHP4H.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\flot\is-A5ALE.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\fonts\is-RCCN9.tmp	Cold_Turkey_Installer.tmp
File created	C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\scss\is-6VCMG.tmp	Cold_Turkey_Installer.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTServiceInstaller.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	Cold Turkey Blocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Cold_Turkey_Installer.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Cold Turkey Blocker.exe = "11000"	Cold_Turkey_Installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Cold_Turkey_Installer.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Cold Turkey Blocker.exe = "1"	Cold_Turkey_Installer.tmp
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	Cold Turkey Blocker.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Mozilla\Firefox	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Mozilla\Firefox	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Mozilla	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ServiceHub.Power.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ServiceHub.Power.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = ffffffff	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005259edb0110050524f4752417e310000740009000400efbe874fdb495259eeb02e0000003f0000000000010000000000000000004a0000000000511d1700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\NodeSlot = "8"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "3"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "7"	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Cold Turkey Blocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Cold Turkey Blocker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 56003100000000004759234d100057696e646f777300400009000400efbe874f77485259edb02e0000000006000000000100000000000000000000000000000017dd9c00570069006e0064006f0077007300000016000000	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Cold Turkey Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	Cold Turkey Blocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Cold Turkey Blocker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
3828	ServiceHub.Helper.exe
1308	ServiceHub.Power.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4992	Cold Turkey Blocker.exe
3828	ServiceHub.Helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3896	msedge.exe
3896	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeDebugPrivilege	3828	ServiceHub.Helper.exe
Token: SeDebugPrivilege	4992	Cold Turkey Blocker.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe
Token: SeIncreaseQuotaPrivilege	1308	ServiceHub.Power.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5080	Cold_Turkey_Installer.tmp
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
4992	Cold Turkey Blocker.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
4992	Cold Turkey Blocker.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe
4992	Cold Turkey Blocker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 5080	208	Cold_Turkey_Installer.exe	85
PID 208 wrote to memory of 5080	208	Cold_Turkey_Installer.exe	85
PID 208 wrote to memory of 5080	208	Cold_Turkey_Installer.exe	85
PID 5080 wrote to memory of 1184	5080	Cold_Turkey_Installer.tmp	100
PID 5080 wrote to memory of 1184	5080	Cold_Turkey_Installer.tmp	100
PID 5080 wrote to memory of 1184	5080	Cold_Turkey_Installer.tmp	100
PID 5080 wrote to memory of 4572	5080	Cold_Turkey_Installer.tmp	102
PID 5080 wrote to memory of 4572	5080	Cold_Turkey_Installer.tmp	102
PID 5080 wrote to memory of 4572	5080	Cold_Turkey_Installer.tmp	102
PID 5080 wrote to memory of 2856	5080	Cold_Turkey_Installer.tmp	104
PID 5080 wrote to memory of 2856	5080	Cold_Turkey_Installer.tmp	104
PID 5080 wrote to memory of 3548	5080	Cold_Turkey_Installer.tmp	107
PID 5080 wrote to memory of 3548	5080	Cold_Turkey_Installer.tmp	107
PID 5080 wrote to memory of 3548	5080	Cold_Turkey_Installer.tmp	107
PID 1308 wrote to memory of 3828	1308	ServiceHub.Power.exe	109
PID 1308 wrote to memory of 3828	1308	ServiceHub.Power.exe	109
PID 3828 wrote to memory of 4992	3828	ServiceHub.Helper.exe	110
PID 3828 wrote to memory of 4992	3828	ServiceHub.Helper.exe	110
PID 4600 wrote to memory of 4920	4600	msedge.exe	148
PID 4600 wrote to memory of 4920	4600	msedge.exe	148
PID 1308 wrote to memory of 1700	1308	ServiceHub.Power.exe	149
PID 1308 wrote to memory of 1700	1308	ServiceHub.Power.exe	149
PID 1308 wrote to memory of 4592	1308	ServiceHub.Power.exe	150
PID 1308 wrote to memory of 4592	1308	ServiceHub.Power.exe	150
PID 4312 wrote to memory of 4900	4312	msedge.exe	152
PID 4312 wrote to memory of 4900	4312	msedge.exe	152
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153
PID 4312 wrote to memory of 3332	4312	msedge.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\is-ETPRB.tmp\Cold_Turkey_Installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ETPRB.tmp\Cold_Turkey_Installer.tmp" /SL5="$70064,6950134,837632,C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=out program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1184
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Cold Turkey Blocker" dir=in program="C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\is-OK5H1.tmp\_isetup\_setup64.tmp
    helper 105 0x84
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Program Files\Cold Turkey\CTServiceInstaller.exe
    "C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3548

C:\Program Files\Cold Turkey\ServiceHub.Power.exe
"C:\Program Files\Cold Turkey\ServiceHub.Power.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -first-run
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe
    "C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" -first-run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4992
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Program Files\Cold Turkey\ServiceHub.Helper.exe
  "C:\Program Files\Cold Turkey\ServiceHub.Helper.exe" -notify-app-blocked=msedge.exe
  2⤵
  - Executes dropped EXE
  PID:3872

C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe
"C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3032

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff35b546f8,0x7fff35b54708,0x7fff35b54718
  2⤵
  PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35b546f8,0x7fff35b54708,0x7fff35b54718
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18193694801144893672,7677139880454645736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,18193694801144893672,7677139880454645736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,18193694801144893672,7677139880454645736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18193694801144893672,7677139880454645736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18193694801144893672,7677139880454645736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff35b546f8,0x7fff35b54708,0x7fff35b54718
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9212982617715199601,231073263446465189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:184

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1272

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2508

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff33ee46f8,0x7fff33ee4708,0x7fff33ee4718
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,10754545196805620229,1785964618080372297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,10754545196805620229,1785964618080372297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,10754545196805620229,1785964618080372297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10754545196805620229,1785964618080372297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10754545196805620229,1785964618080372297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff35b546f8,0x7fff35b54708,0x7fff35b54718
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9678523860584331713,8226799707409050177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Program Files\Cold Turkey\CTServiceInstaller.exe
"C:\Program Files\Cold Turkey\CTServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cold Turkey\CTHostInstaller.exe

Filesize
32KB

MD5
c2e639633d46b0f92518acd99b2cca4b

SHA1
772609c69eaba0e5c3c7b7a5f32af00f10666a78

SHA256
5e8ff71aedf36a995151309a6626fffadc51194e39ee1b9633810b752e7e59f2

SHA512
df25e6d1b1119bd119ca72984605f66330560ee964849255c1e9e97de65fd27bd5f3e68366bde2744f3e6334a77fa6e2a5ff9decd2fc250777696723c75eaa39

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostChrome.exe

Filesize
59KB

MD5
eace7acbd5a1a3884819fc2bdc0f937e

SHA1
aa20622c959488589cfce4af5fa2fb3c4a6eebf2

SHA256
4c6cd4fb3fa9252d578dcf2c10890223714a01793a9f60e1b152f3971d63b939

SHA512
bab478e3fed05c33cf1a8c4907625d404497afb9800ad5e4a305ba10bec94644eaec7d8bd6321c0363f4d9ec5590ca1df475d67feadf253a33ae3759cf13d752

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostChrome.json

Filesize
280B

MD5
9f9fef0ef707d3b2dcab79428390b9be

SHA1
bed90924387006f05cf2021ccd7cb639fe80fabc

SHA256
c304ef695bb3a6220ed56e6fd3b0539ced6ee20a90ad9d1237876b46f71d1a16

SHA512
389e5028b7811e9e26166895a1e77668960561237b42312164c8686bea2c674584288c15c8f9c8506df2173eed4c73e28aee777cb6f85567b471871f3a35b4e8

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostEdge.exe

Filesize
62KB

MD5
c1c7976bb06bc99331f175c66e2b5ea7

SHA1
de437a33fb01afc25013edca63d901dea36cd1ae

SHA256
97d1b687b92fa518e6f440141286987188ec99904cd11c0e0a207d116cdc1a18

SHA512
cdd3ed40d6a32ea2f385746434b5a165f228840c391d1e6dabcbfb999640a7f18352247e3c51128a10bfab58e8c46e11c665027ae903cccc6ad251b03843dbea

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostEdge.json

Filesize
223B

MD5
0a8af25d1f9d0a3d27c8dce58c8e4b86

SHA1
db3f1d2b9ece0ea039e0047957aec05b6c0e97d5

SHA256
6949974f9f8bc30a1eba5747b854c2f8c9b9ca0d315251830df3eb2044d9c53d

SHA512
738c60dcfaf2f1104ed88700cb4c4a3d4adc8637b353c734522ac7407eb668a5d4e166a753566171b1a4c8e22f71d77cabc39c9e2b3039357cdd4ed53c80e70b

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostFirefox.exe

Filesize
61KB

MD5
3ef5cabab4728c07de2f6c31ae24d91e

SHA1
146bbae0c12204c32ee06735e59c13edc7892b54

SHA256
7f1393cecd9bdf719b8d7d95cd4ca91d26786105b03d368f8c52f2ffc99925fe

SHA512
00be619689d823cdce777c662a03a2fb1a9dee38c95266cc76149a915d3466864290809bd0a45c7daa292d13031bd6d175198d11e646c0eccab97fe00409c1ff

Download Submit
C:\Program Files\Cold Turkey\CTMsgHostFirefox.json

Filesize
205B

MD5
06f8a880bda481af8fde7b1e85276085

SHA1
9175ffb19c5538537b80035dc8b19790d460c4f5

SHA256
db65ef15747f119e6645381f3ef1e7f9c2f7f48b227d5b079c5ee10d64de79c6

SHA512
e5d3d867468976e835c2696da87655e58039b6b30fd38b18a3a20a0575aa3c819aa3c88b197e470b0f17ea5c27326d95c3a03c8b02fcea5ba3e324edcc8fe8cf

Download Submit
C:\Program Files\Cold Turkey\CTServiceInstaller.exe

Filesize
23KB

MD5
3fa851e3c7a2f1e48b96621b3710e502

SHA1
e795262a1ae93f4c1fbbe623a9ebc36ba1789ee9

SHA256
20a2baa9370b3367ec70c25ba4d65f4de45b9b378b8af98c55d3d255c82b5822

SHA512
87d049636db02576eb2f3ffd74ca1461627581592de59cc1120d69316d75647442806921edb1b92dbb3c39560ccdbe4db2c9ce24ca42151eeedbffc35c08e76a

Download Submit
C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe

Filesize
731KB

MD5
7a341f52bb71eddc5b755063c70b33c7

SHA1
0ba8aa6888dbf15c9933ff30309e2c25b5073d22

SHA256
98929793f99d72268dc63562ec7a9d3ce8ecacdeae5d03c0848a8fa88127ce44

SHA512
688f79272a2b2e489afac1bb987e81fa09c4e8a2bf2349bd14783c0cfe50bfa8316c0c419e834385f7b2d91e559c293326dd52f59a3769ec7a80dcc8cf70b385

Download Submit
C:\Program Files\Cold Turkey\Interop.SHDocVw.dll

Filesize
150KB

MD5
35d307bb1673d430962df027b828a550

SHA1
2afbd8ae7bd35727ae9994eb6ab8f65b5fac2f60

SHA256
a170ab0a1142eb0b45db32b8544c70cf9775bed915f87451b8a26cb542c665f6

SHA512
e1dd7fd7d653ec7d5b76ec7ae38666f71e5700f73efad341bab4b4794b5d6f48d6f11434d791d7fe852a07fa595b633683f46a3eb5b4f8c44e0c3bdde733fad0

Download Submit
C:\Program Files\Cold Turkey\Microsoft.Win32.TaskScheduler.dll

Filesize
278KB

MD5
a601795cd6d837cef1ff565ba280c631

SHA1
92e370d9cdb7b858338dd896e358ea93eac41ed0

SHA256
46b6a4d2acf1d1a6d924dbb30915f438e7ce046849e1b77842e7239819f31941

SHA512
370d00d6b8e9177d46ea803753ca72ddbaddeafb846af0dfae1b0551e1e78c6da83b3ef31e6e3caeb37fcf7f8e48effbaa0faf206d984b805455a93ed4208a24

Download Submit
C:\Program Files\Cold Turkey\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Program Files\Cold Turkey\ServiceHub.Helper.exe

Filesize
515KB

MD5
90cad1d55d961007a517526a54ecacbb

SHA1
30b126ecae4e62ee3f49507c9077a62ad708b7d2

SHA256
0fe45bbc3dc09106f73a1edbedf33472325c3107efb8c6a8e2d46372b93b40ae

SHA512
1f8e230feef5f015160d6eff6e0507c471619cc886df64a1a6f911dfb3c8efe2fc783e02f1e0b4424869be01cc52d088048e0c3eb83dbf0417e3cc97fd8ec6db

Download Submit
C:\Program Files\Cold Turkey\ServiceHub.Power.exe

Filesize
136KB

MD5
a35ad99e1d94f034d2eec967b34062b8

SHA1
21d6fd29385e41e5f02d771431e60f7f0c841995

SHA256
5dffdbd9add7442a5357ed6154fc82137159aa72435da5c6d3763bd2bcba6ad4

SHA512
1e1250237a296958f352aa5a22a5a970c7e8074a95f02faa2790b0bc318bb43dbe2d7397e20fc05197bde0f94c3d0e017d892eda15349bf021658e8eb94086d6

Download Submit
C:\Program Files\Cold Turkey\ServiceTools.dll

Filesize
8KB

MD5
1ecde58b9899d2a7037ff6e6a4e8ac69

SHA1
260979df570f6b0b64831338bcb1b57ab377a6ec

SHA256
c59484efa0618c171a0cceedc88066bd09284da9e48a67032e3342971413b731

SHA512
fae93da5c7bd7c782bec96af38c0b8a7ea94b23411a1936f60b8573acea6a199b3deaebf901e90de211825fdb11d33b0d48bcefc49aef67290fee442aad8073c

Download Submit
C:\Program Files\Cold Turkey\System.Data.SQLite.dll

Filesize
402KB

MD5
b0911d27918a1e20088b4e6b6ec29ad3

SHA1
93a285c96a4d391ea4fe6655caaa0bbf2ee52683

SHA256
24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

SHA512
518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\calendar.css

Filesize
972B

MD5
7ecac1c782867e764cc62a3dd452db8e

SHA1
86c4371ee4efb3b620a1aff1b54805148671ad58

SHA256
58cbe9e638a026ee13fa426fb598aaecc4e01377c8eb9b0b98419dc189c7380b

SHA512
45b02f61e21b27cdb78c7e084748e3456c9e2f4b20371565ad18e529901969f4c2f00cc2b1e24b6788ab43bf210aeefb9aa98626c90a6b7926bff4aba0c3ed76

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\jquery.weekcalendar.css

Filesize
5KB

MD5
52dabcd23bad85a8a2f7fe5f5fdc2827

SHA1
afc5b833bd056ae9eadc0d9d596f79967812b463

SHA256
1212e6eb66eadc859bccdd4029bfb992550a0e3f79a9daa0e3e453fb7179803f

SHA512
079cca14b325cf567b532ef1b661382209c1dc093e10a1369df88aef92d8c1ee5dc151ddcc2642e2350073270f0b4807ffa22655373886e19c31e0909eebf55b

Download Submit
C:\Program Files\Cold Turkey\web\assets\calendar\css\reset.css

Filesize
1KB

MD5
7ccf267afc3d90bcc4b7e4ec845b540e

SHA1
8516fe30cb46057758a15e1bf0874339e1838262

SHA256
2a4e5c76ec4b580167caf521fd4a6dafaff27e19f0e0a5a40824f04a10860f5a

SHA512
4f80eb61a1267fe7bd1131f30336fa1a81b1955afa377beb9f5418b09c24f349e428dcfb362c869c5abe1deeb11a3f911f23be3e9f733cfb7bdeb65b36916fe2

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\components.css

Filesize
7KB

MD5
75bf10a1cbd3dbfb278fb3e519e9a025

SHA1
ba83d2bb589df919b6b216261d75b361ab640dd6

SHA256
4670229615be54d15100d5cc3abf180546e4f184c66ddc16afeeea041e680e62

SHA512
0efd150b55b59f000b961b37509e8ade9ec662c3f8089e9e48811dc87dbf0b4880203671c0f4452a907c64bf18bf953df2e30d23b311d590aa06c5982d9c4168

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\custom.css

Filesize
26KB

MD5
6eb5715befe459cc5e35d383d6e18986

SHA1
e4aa5da449027f962834e90649e2582aa1925794

SHA256
a2debad92be4570a1344a49c483237a75f32831b203e91df2f71bfc95871bf7e

SHA512
d9745f6e9ce408fac71f6b621d4965cd9feaac989416bb65a92b35a8115696f740d70306db82e030aaed06e3666bf46ae73e3b26ecb057ae386d268272699f26

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\layout.css

Filesize
12KB

MD5
f43425c224814458707f19f33ca3a76a

SHA1
a99ca8d71c5bb55fc5f7f5aa469f679fdb67fff6

SHA256
c700a98fa98c04f35f2aed5b1f40e1109affb9fce238c2781b48e2788ada7809

SHA512
a5626f39ad2e8dad4a852dfb0d6f7afef17ea9d1391a23ccbb5a5d0fc515692916f50471503017410c2355082f593a7b985893e175d3dc3ac419cd3b7a2a7fa6

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\plugins.css

Filesize
49KB

MD5
7ab35af9e3bc5a23653d2bf19f24dfa2

SHA1
4556fe3e33c1efe41755e41ec22d589978e774fc

SHA256
c5cb038df15325b498fbfadb48585d6b971c403b632204c2e9abe4274411347f

SHA512
ffde06980cc9b5240aae7fc596256e0ad55d4aca2c653d3da43fece2e01030c128ae449bc3a57ab74c90e2279fc9a4901c3dba5205ab294cec0c23f18f2eb015

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\themes\dark.css

Filesize
16KB

MD5
9c7dac837daf2480a4eb019f46e16bb7

SHA1
401e6e83991dbdd352f4a3479ad8985fbb088d5d

SHA256
c570d40d5a686007d74107392f2518c1ba975405cc8fb98fb0b9371bd58ca8b2

SHA512
1c4442f3fd55e9e5ed60a064481d43637bcc1499940c0f0bbde3453977de0ec8f0fd7659f3804bb8f1cdeafa46144e8c9a18dde87cff744677c0eca1d87feb10

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\css\themes\light.css

Filesize
16KB

MD5
66adaf46aec02cffc8f379bde9484f3c

SHA1
434100afaa8d9250ae72dfda000d1d305a6210d3

SHA256
5beafd4cf947df97016f50ca25a4244de486a54e74660d0aa1b679db846e3769

SHA512
0865a46f661853051d40f5a14d12824acd8271048477c8af761fed5acb423781b19f55f53d73dd415f72a04f8c0c8834cd9d6939fd1a04553d1101265305bfc9

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\fonts\fonts.css

Filesize
1KB

MD5
32d4e61d0951d9189574814e94bbadde

SHA1
1a4af428ef571368cef7eb548aeeed65a9c66151

SHA256
c4f2eb99e50c137e8a15ff0c5aa7e254b8aa44fe41fa9d2b0b27b81f3ead5ac3

SHA512
d7798c9559be227707703d0b15dbb0866c3b728f1d771a8a997273fd541e5c05e9bd95af79ecc80b057644f54fb9507eb4e0f751f648b62e0161b1ce11fa46f9

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\loading.gif

Filesize
714B

MD5
e8908ee10ab32cd4f2cde16f62601b5e

SHA1
7a0d5a84bad8a2d9c0c06e20dc2455192c75817a

SHA256
422b45b32ae58928a3755c3d6252dd3b48277200a2c77ce18c6752dbba79155d

SHA512
70d9479b880cffc6573fefffdb5ec1e88f3aa4e3c7c576536717642623a5c2a5dfa3819f64e12e24e69f6a445de0e90eda8ce7f24f7d17e773be822b6478e114

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\logo.png

Filesize
14KB

MD5
3b65458ed541e195186b70eaa0fd1e57

SHA1
085081628b3c34005e4649e5138b0afdf72830da

SHA256
fc3e3437e0488e9464aab1adb41dc163d6aa48d8c49d772f14e230146107b9b4

SHA512
e62bfc6dfccb5375936c9278242ca9e5e8072cdf656d661d8615f29d02754e5d320e83705168a0bb89a07419d8034b1f7112fdcdf139db92e578d1dc4b07d078

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\img\mario.gif

Filesize
994KB

MD5
f1ff1359097667efb5cc15549ae8f35a

SHA1
5b94d707b1a2cdafd600bcaf5d53b840331d8f3b

SHA256
45a91287ec74e1559b4aef0c169a1600243c5b848aed0234145f94951bc20ec5

SHA512
5ab71d685c6029e68312656902ef93639f7878f64d3e34d6d923f9843a1ec16d3747baf42e65e59b49b13c931869f50426de04aa3d021bdac1bb19c9738fc576

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap-datetimepicker\css\bootstrap-datetimepicker.css

Filesize
8KB

MD5
1376617545121da9a4634704da9d8d72

SHA1
1c55e3c8ad8172aa1aedef7e9ce550bec737d3bf

SHA256
ca124a8446a32ee80ea54dd30cff6bcc2e192537d77124554ffe5d8794682153

SHA512
62fa41427d10c9eb0323c9d184cf924e9fef1a8891c57f5ca2f2d02978d5c4a59dcaf7305398f23f9a549782af363befddca59b5ded9164d2628afed0488f326

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\bootstrap\css\bootstrap.css

Filesize
144KB

MD5
aaaa85c69e41c62628005055958348f2

SHA1
60e7fe3ad66f7f7c9bcecbe5b3f1ffbc3ae5a5cc

SHA256
30bd8d7d8b0467086f23104814a89f69fb1bd5c5f779ca2bb978806772c58cea

SHA512
96ee6e4488d10bf551d946e99fcda10607209e76a376b6268ba970f1cc321cd158c1a39c75753d06b79abb1f2baf94fa94a57fd40531f436df3a3950be686529

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\font-awesome\css\font-awesome.min.css

Filesize
30KB

MD5
269550530cc127b6aa5a35925a7de6ce

SHA1
512c7d79033e3028a9be61b540cf1a6870c896f8

SHA256
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd

SHA512
49f4e24e55fa924faa8ad7debe5ffb2e26d439e25696df6b6f20e7f766b50ea58ec3dbd61b6305a1acacd2c80e6e659accee4140f885b9c9e71008e9001fbf4b

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-alphanum\jquery.alphanum.js

Filesize
23KB

MD5
b2805b7868fa7b10d2e95c7d3b3e00bf

SHA1
b495eb8833492d377f033afda5e4b84847faf099

SHA256
6f28ab4471f90643a7e044c7a8b27cb1a354b7b177c2e11222851f7cec34352a

SHA512
c2e73d3c6ffdc3a08809df937e519bad5abe311293e7517bd1ffee41f65b84d655a5c5f307d74fc09fe862dc941cfd762cee2237a912b5cd75320346bc4064b4

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-bez\jquery.bez.min.js

Filesize
987B

MD5
37ae503648917ec7578027f9b28abc07

SHA1
eeb2ba7cb6f50c653236fd06f06f1da8146fd732

SHA256
3112a128fd08bec867bf0ee976756bab49ef5ee3c384e9f9f5fc0634425e1b5c

SHA512
c0517f586331c88d77f5cc64330346cae528fe272849b77a05bfb91db8e7b02774256062bca6a66067e273329df1fb728e58e4457971dbd6aa8a322cf93d2ec1

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-migrate.min.js

Filesize
7KB

MD5
512b871a2830e44259bc3ce3343afcd0

SHA1
875bce76a77590c3c438bbc6e014b39c23c8c88d

SHA256
c4d24f6b27cc7ceea56fbec786bb1f486fdad9a1f998f760f76d1f44671e105c

SHA512
7c31817254b71d4cac10120aa2829614311658e468036d27eb43b063b392620c4611ec3db3b3600da3e48fb82a41c5579c048fbd9022156f038b2b6cb5d946b5

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-timespace\jquery.timespace.js

Filesize
52KB

MD5
5abe75ad3dc0b16acebe545a1ee6cef2

SHA1
7e12d8deb0e120f7fcfa0210336131c836f07d94

SHA256
5a8f7a219be2d49dbc26247c93b287978c03886a53c56d0d0d977fcae14d9760

SHA512
279ec0bda5288884dd4f11e36e00344c4f21240d10111e5765aab5d21518ababac74c9c13fc63d28c0ce57bd0be40df31536d9958eeec50fc317d1f5f869eca0

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery-ui\jquery-ui.min.js

Filesize
233KB

MD5
2fd2b9b20d69c5a02614fcfcc223e6bc

SHA1
3bad15be61929f9fce8d723cc711907cd3f17f16

SHA256
2cf7b958dbcea337bd3af6106480fefbca95499d1e278c3209bc6e9a11267156

SHA512
634dc25d18d5680b50f836243c688087f4a19bb608204bac0fd5866370aae92b144d6029023e2e79ae801894b37aee7d033029c990633eb694a180fe6194fc46

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\jquery.min.js

Filesize
93KB

MD5
00f66eada2c54b64a3f632747ce1fe2d

SHA1
a4837154098ac13ccd72e08fd25d7bcf76826986

SHA256
100a135d8e7d5ebf1fe83b0b16da1d8d8b2321acdc4d5c24a1f9a7df53b23cf1

SHA512
11220e328a367f1086d0369686d09206badfd2cce18cdbc7420b4aca9785054ad7576f156b6039444f762f6a46a58ac7cefdc0f2bf031f215f59a8d6ae8e254d

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\moment\moment-duration-format.js

Filesize
12KB

MD5
c7af43b1559f182990227fbe38bdfcf8

SHA1
47abef5ac3ed1a021593ca3180b004c0dd25f8c0

SHA256
493c18c7fe2b367e761404dbdf0825b1166b28e7f16437ecf8dbba88f9135b56

SHA512
d141f40289f1e0964b56af22dad4e961782e0e3000e0b1ff5198fa0adcbed3fcb363c255d2d7bf1b16914fff873ae0638fef2e8dbe3fafe2ea186df26e8e8da8

Download Submit
C:\Program Files\Cold Turkey\web\assets\global\plugins\moment\moment-with-locales.min.js

Filesize
328KB

MD5
1b1c80b617bfcaf8c0766d41c4a3c680

SHA1
6319f4a7d5f345583a730ab527704ff2491a9043

SHA256
01d40df7c31566ce3812adb24f0b682ae7e19d4fae67bbf69179c3e6fab3655a

SHA512
8652e0221e279dc6f6c9ce183ed5a4e703b291c1711747c1779ac77c9eb1b002c8da4858dc7f0b6e2becc09139169cfb870b3b0890aa3b37728d61e2289625f8

Download Submit
C:\Program Files\Cold Turkey\web\index.html

Filesize
133KB

MD5
6a4509eba4abdc12faa80ca1d4870848

SHA1
24870f729ad1a63fb3f0f21b3116d08fa3577aa1

SHA256
e0723ce519d9c071bc7289606e542cf830f50abb4f096b83f657924f0270a200

SHA512
94d29428d9e822fe07c47400b89960f04ec39a7b3125676b73d7ca499f2893b8ef63d143fab3600a894fe9435098a6d84d72df9b55c75de894e3e796d6a197eb

Download Submit
C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Program Files\Cold Turkey\x86\SQLite.Interop.dll

Filesize
1.4MB

MD5
0792c1d3b4dc27c8a11be191e61f9276

SHA1
6d92350b14aa5ccccb321924215b135d2595fae9

SHA256
98b0e0e7cde328d21284687dd359e36a42d39a329d4353d3c39def990b46a18b

SHA512
126fdc341814f97fec2ed865eee7b84e4eb2888a784478f550b2fe929e088a8097c22ae888e21fd8209a8c91362ad5170aa5476d0f62962ef4d2577adbd80bf2

Download Submit
C:\ProgramData\Cold Turkey\data-app.db

Filesize
20KB

MD5
39a6dbb19cbacb19af5d40eb96b03ffc

SHA1
a262f45d67dcb00d6a1c039d2ccd8a57a96c926b

SHA256
a293e2ffe80c3dd8362c8112dee6fe27015e27b575fb00fc2263b16ebe047baf

SHA512
23e6988ac2bb5a463a6b1c31db2275f242450b2293ae8181131f334f1441f2118a8c981d17a1d0b23fc63620da184c4f1a5bbb8429b001f815f59a652318d8b4

Download Submit
C:\ProgramData\Cold Turkey\data-browser.db

Filesize
44KB

MD5
fb86a433e71c1ca0f4486f33b5a30672

SHA1
9f88be857e3c25cdc8cb02f4896b18131fc50d7b

SHA256
fcdec265073822f985ab1ea12d4086e3f85aa4422231632f1a63b3b3e39f97e5

SHA512
7afd28ff89b29de80e15f068239bd9bf36803b695362b2fd55e595f4e4e1176543578880a3f755ba4a60c85caebdcc62dd93207fc9f3a968f263845e67dc254a

Download Submit
C:\ProgramData\Cold Turkey\data-helper.db

Filesize
44KB

MD5
0fe2328c7f20af8ecf26a8c87fdff6c3

SHA1
8da9a15bbd8e0a629a5ad27dffa59b79074f5c80

SHA256
0cd00354601be6fee25ab2c69aaf096bec4ac24f20633835e2776bbd3d01fcfd

SHA512
5a44928251cc2fef7893d449813292ca5091aa9b34ee6bebc055bd20b17f7a3e5fa52b4a4b594bfef9458a3dc0d344caebb9838731d224b272abce5fcfc148f3

Download Submit
C:\ProgramData\Cold Turkey\data-service.db

Filesize
28KB

MD5
2bdf9228d077bb11656d1354cb65c163

SHA1
3c5e3d87039db98c3490c6926ba98f2f64ad2531

SHA256
e203d0f05fc43006f915ac764035eb95bad1d4949007ceebf7a2a5d2fd181c54

SHA512
68f04e50d7cc6d68ba223d61ab5f73affe19f69b70015f43e68f6f8ffc70712b5f608d993711adc907f050aeb04295d3328878754eeb9391c27150713da9e83d

Download Submit
C:\ProgramData\Cold Turkey\logs\error.log

Filesize
5KB

MD5
379384c49e4fd6b1b1f0efaa83a64d63

SHA1
61bec38a6e320d2742384d107da55b2ce3e7f402

SHA256
c18b84d0a1ce9ddb0dd9a5c9510a8926695f6ee39d03e2ddf909c47c5eb19522

SHA512
74b4b6b31da2c22cd2a8f45e68ab7ac97354c397f58c71b18a6bcb935d895f8d8adeef28bbc2abc2cc010168e9d6b7b5242116c2c94fddbde0d19d601c17c53a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90a156baaaa6a5c01ee8b24a347048f1

SHA1
e0e23172051b37b988b215e15ec7ddb6db06942e

SHA256
45bdea49718bf1a1385ba53f8044a74ebb0a2b2a5319e41e68280f87977afa50

SHA512
bab2b54976d8877d80a61dc6a37f58f7c159d163b07f643ae64119e11f03da801ecf7dc5ec7719b907991191c52c1706fb2ad865e6fcc7fc8d295f29000d5899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a31129a6f68ddc79d7de251522fd09b8

SHA1
f8f889621a833ef56df53f84ffe462b6cb585274

SHA256
3408968b76f0d8fe1601989e3a82896939de48dc92ba7cc18dc55d1e74905bd2

SHA512
6329befdb962b2cae57b3d97a8de02309c5c8e60062217dfe63e633e8612d7c7e3c4b3138cb8f1c3e55d8714f863e21fde56c667150493d47ea6aff8aaf5cf06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
483e6d1377a0f891320a511c30542107

SHA1
09f3d9da3040de2497f4fb9d7d6e3edb5c0475a9

SHA256
106ad2a72df0c8866cffacee87759272a11f3254cb6f4a8c20a54470a162db96

SHA512
9bc2a44a1c6f9df4e9070c60ada31bf488b18c6f1ef932d5a72d51f35cd6b6831d6058b0318b812fdc4cbaf726d4f985db5aba3c56b17f46a859d9272bc1ebbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
622d83e78b3699985f09eb005b49d4ca

SHA1
af87b4fd1870abbdbd5346156d846be5019173b0

SHA256
198ab5a5365c1d4cdf5e1f8d8f4f200cf428cf6e1e105d58b330b766e8d4bff1

SHA512
568011954c1c2b8816dcd912550fafc4b50df9e21b3de77d5f4387845e9c51df20027699a2eab9dce73a7c229a5a3e8f38c3fbadb331318592c0307a73dadf53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c5a814c3-80f5-4dab-8328-52704875fa57.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETPRB.tmp\Cold_Turkey_Installer.tmp

Filesize
2.9MB

MD5
03840135bb43e6c3de3bee0724c3c187

SHA1
d2aab16c47eaf3b004671d3df045a284f1692280

SHA256
70b5fac312a869659bd0ef69a7df1ab46ad7f19f340eb659e57ca71a579da02a

SHA512
31ef538dc407aa5df2d303a77b4a56850a420e866befd58b63d5ec480027ffae14922731c97d20b1bef91c0e17f2ec148d798d318b01344cb59deb497b735e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OK5H1.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
memory/208-0-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/208-8-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/208-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/208-465-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1308-427-0x0000016DCBD50000-0x0000016DCBD76000-memory.dmp

Filesize
152KB

Download
memory/1308-420-0x0000016DCB3E0000-0x0000016DCB406000-memory.dmp

Filesize
152KB

Download
memory/1308-448-0x0000016DE5DD0000-0x0000016DE5E1C000-memory.dmp

Filesize
304KB

Download
memory/1308-439-0x0000016DE5E40000-0x0000016DE5EF2000-memory.dmp

Filesize
712KB

Download
memory/1308-426-0x0000016DE5D40000-0x0000016DE5D7A000-memory.dmp

Filesize
232KB

Download
memory/1308-422-0x0000016DCBCE0000-0x0000016DCBD46000-memory.dmp

Filesize
408KB

Download
memory/3548-417-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/3548-411-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/3548-410-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/3548-412-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/3548-413-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/3828-444-0x000001F4BD0A0000-0x000001F4BD124000-memory.dmp

Filesize
528KB

Download
memory/3828-812-0x000001F4D8770000-0x000001F4D8778000-memory.dmp

Filesize
32KB

Download
memory/3828-811-0x000001F4D8760000-0x000001F4D876A000-memory.dmp

Filesize
40KB

Download
memory/3828-809-0x000001F4D88F0000-0x000001F4D891C000-memory.dmp

Filesize
176KB

Download
memory/4992-718-0x000001E761E90000-0x000001E761F90000-memory.dmp

Filesize
1024KB

Download
memory/4992-614-0x000001DF5B330000-0x000001DF5B352000-memory.dmp

Filesize
136KB

Download
memory/4992-769-0x000001DF59FF0000-0x000001DF5A0F0000-memory.dmp

Filesize
1024KB

Download
memory/4992-730-0x000001DF59FF0000-0x000001DF5A0F0000-memory.dmp

Filesize
1024KB

Download
memory/4992-726-0x000001E75CFD0000-0x000001E75D0D0000-memory.dmp

Filesize
1024KB

Download
memory/4992-716-0x000001E761CA0000-0x000001E761CEA000-memory.dmp

Filesize
296KB

Download
memory/4992-714-0x000001E75D2D0000-0x000001E75DA76000-memory.dmp

Filesize
7.6MB

Download
memory/4992-502-0x000001DF3EB80000-0x000001DF3EC3A000-memory.dmp

Filesize
744KB

Download
memory/4992-581-0x000001DF5A610000-0x000001DF5A63C000-memory.dmp

Filesize
176KB

Download
memory/4992-731-0x000001DF59FF0000-0x000001DF5A0F0000-memory.dmp

Filesize
1024KB

Download
memory/4992-928-0x000001E75C5F0000-0x000001E75C6F0000-memory.dmp

Filesize
1024KB

Download
memory/4992-876-0x000001E7626F0000-0x000001E7627F0000-memory.dmp

Filesize
1024KB

Download
memory/4992-927-0x000001E7626F0000-0x000001E7627F0000-memory.dmp

Filesize
1024KB

Download
memory/5080-454-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/5080-10-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/5080-6-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/5080-12-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download