File name:	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe
Full analysis:	https://app.any.run/tasks/ee3084df-531e-409d-9928-529dfd2979a5
Verdict:	Malicious activity
Analysis date:	August 05, 2024, 21:05:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B19DD113B6560D54D7A0526474D29EFB
SHA1:	7F05587E6CF50CB8EA6AA8023931CB74925328C0
SHA256:	13EAD029D3C60CD0A1F3A803618B73CCCBB70EFFB12067403D50F7FF152E3A2B
SSDEEP:	98304:5EAc+0wJfDX6m0/26zLTCVj53aSzYblgzUPEjune7Z7J4PWzNd885+FVPIiUJFiG:mQ5U1jkJfCoDEiZ

.exe	\|	Win32 EXE PECompact compressed (generic) (79.7)
.exe	\|	Win32 Executable (generic) (8.6)
.exe	\|	Win16/32 Executable Delphi generic (3.9)
.exe	\|	Generic Win/DOS Executable (3.8)
.exe	\|	DOS Executable Generic (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:06:28 14:10:26+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	143872
InitializedDataSize:	414208
UninitializedDataSize:	-
EntryPoint:	0x24530
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.3.5.33349
ProductVersionNumber:	1.3.5.33349
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Camomile
CompanyName:	Outbyte
FileDescription:	Outbyte Camomile Installation File
FileVersion:	1.3.5.33349
LegalCopyright:	Copyright © 2016-2024 Outbyte Computing Pty Ltd
OriginalFileName:	Outbyte-camomile-setup.exe
ProductName:	Camomile
ProductVersion:	1.x


(PID) Process:	(6532) 13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	General.CustomClientId
Value: 1036007967.878760671294
(PID) Process:	(6532) 13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	General.URLClientId
Value: 1036007967.878760671294
(PID) Process:	(6532) 13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6532) 13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6532) 13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7040) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D484312-2A78-96B5-2103-981509CE347B}\Version
Operation:	write	Name:	Assembly
Value: DD43AD432CA6ADD1E217C896D0CE2EF1DD43AD432CA6ADD1E217C896D0CE2EF188AD8CBB5ED3F66B83A8A2CDF194269C890BB34AEBD806E41A50D3BD9C0B4765219909F09E75DEC0927FF4E8152284CD219909F09E75DEC0927FF4E8152284CD59B5414605BAE21E9735786EB516D3F8DE1283C2AFF9BF99D33ED2740C86BBD2F8157495FE950FA4A01046BB55F00DAD0F20AA1B1ADFE602954529934D03147D
(PID) Process:	(7040) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	General.TrackingIV.CID
Value: 1164832161.1722891929
(PID) Process:	(7040) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	General.TrackingIV.SID
Value: bgiQqmrJNG
(PID) Process:	(7040) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	Application.GAIV.FunnelDate
Value: C7F53E1FBC38E640
(PID) Process:	(7040) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Outbyte\Camomile\1.x\Settings
Operation:	write	Name:	General.Language
Value: ENU

PID	Process	Filename		Type
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\SetupHelper.dll		executable
		MD5:968E2D92289349F1BF511D82D43C9A08	SHA256:B48EF04304B2F3B1C02FB5E8A515D86FA3016C23F7EF61DE87D5C71428422D44
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\Installer.exe		binary
		MD5:16F702FAA067CD4B2D01723CB5AE7715	SHA256:B2E520129C46B4EC12D0A8E61E952CB13ADB1E3F224D6A24C3BD6C1BB511C6E3
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\InstallerUtils.dll		executable
		MD5:4B2CEEC372B73F28BA88AA18F5AA43D5	SHA256:091CD179739748C1D926F8906CB16C82C6570E3BE35B98E429F2768F78FE72E7
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\rtl250.bpl		executable
		MD5:78300463F47D667E95556136216EB65D	SHA256:8BBC35AD62161DC1947DB58AA539086C95B6065EDD27752276F087F7BE34BF17
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\GoogleAnalyticsHelperIV.dll		executable
		MD5:CC648E7EDE976B8CCBBE5C102378E9F9	SHA256:07B5C5777A5BA7296F5A342F070AB0A5E875F371ED6B5E1F584767D426CEAA2E
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\vclimg250.bpl		executable
		MD5:F9BDA6ED3F5581CC84CD1D82188A4A9B	SHA256:1B3D4A7FBF8202C3011D32BDF4F05EC8B0FE5C3AB0EBAD404E51DC2556BFF7A6
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\AxComponentsVCL.bpl		binary
		MD5:D0A03E9B8216B4D7BB675A4399B00E03	SHA256:AD60E2A61E78F4F2C456A6D6775C9DD99EF8DFD4C52534CE85411A9C3E3959C8
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\AxComponentsRTL.bpl		executable
		MD5:8C68E999AC95C24BF0A9BE79960CB814	SHA256:155D663E783FC9F7EBC1A011A3FA2E7C0C51EEC78AFD1ED72107AE55148AE8F8
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\vcl250.bpl		executable
		MD5:C833A5A9187943C4B97074326FDFA728	SHA256:8E89A9578E9F5F2E4D126911A5C365097F1B73880D627113BAFA0550D6A8EE0B
6532	13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe	C:\Users\admin\AppData\Local\Temp\is-26705108.tmp\sqlite3.dll		executable
		MD5:E2DA7818C20C94B40EDA0B537BEF1813	SHA256:60FB95D0BE38A0EAA9A8557C351AC4D2B8049A070E971D54A6E87778580181F6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7040	Installer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7040	Installer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAwfypkv9EfKYa1bFvWpvwk%3D	unknown	—	—	whitelisted
7040	Installer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
—	—	GET	200	45.33.97.245:443	https://outbyte.com/tools/userdata/?product=camomile	unknown	binary	13 b	—
—	—	POST	204	142.250.185.174:443	https://www.google-analytics.com/mp/collect?measurement_id=G-QTQBVV0VMZ&api_secret=fQBOu9FyRGKwbNm3XoJHqw	unknown	—	—	—
—	—	GET	200	45.33.97.245:443	https://outbyte.com/sid/get/bgiQqmrJNG/	unknown	binary	51 b	—
—	—	GET	200	45.33.97.245:443	https://outbyte.com/tools/ipInfo/	unknown	binary	117 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3140	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4016	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4016	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
7040	Installer.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
google.com	142.250.186.110	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
outbyte.com	45.33.97.245	unknown
www.google-analytics.com	142.250.185.78	whitelisted

General Info

13ead029d3c60cd0a1f3a803618b73cccbb70effb12067403d50f7ff152e3a2b.exe

B19DD113B6560D54D7A0526474D29EFB

7F05587E6CF50CB8EA6AA8023931CB74925328C0

13EAD029D3C60CD0A1F3A803618B73CCCBB70EFFB12067403D50F7FF152E3A2B

98304:5EAc+0wJfDX6m0/26zLTCVj53aSzYblgzUPEjune7Z7J4PWzNd885+FVPIiUJFiG:mQ5U1jkJfCoDEiZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Process drops SQLite DLL files

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads the BIOS version

There is functionality for communication over UDP network (YARA)

Reads the Windows owner or organization settings

INFO

Checks supported languages

Reads Environment values

Create files in a temporary directory

Process checks computer location settings

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Reads Windows Product ID

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings