| File name: | Carbonate-affinity.ed.exe |
| Full analysis: | https://app.any.run/tasks/bdbda0e6-9156-49b0-b163-d9cbdd576555 |
| Verdict: | Malicious activity |
| Analysis date: | February 06, 2025, 15:48:24 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections |
| MD5: | F58381E9A01C20DDBA386CC6553ACCE5 |
| SHA1: | 5EAD5A6438FEAD141B0CC52661FB049D960D9367 |
| SHA256: | A8DE64CBAC851151D3009A6C9DA018C2DF510964E5E076B1558A68DA0D85B947 |
| SSDEEP: | 98304:E+cD4dn0H3oZss1diT6AzdlLgBn/Z3zHb3Cidbz7TUASrYz5Ygrn0s+orJ8HAIHv:i5sAl |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Windows owner or organization settings
- Carbonate-affinity.ed.tmp (PID: 3640)
Executable content was dropped or overwritten
- Carbonate-affinity.ed.exe (PID: 1804)
- Carbonate-affinity.ed.tmp (PID: 3640)
- carbonate_mini_installer.exe (PID: 1684)
- setup.exe (PID: 3736)
Application launched itself
- setup.exe (PID: 4320)
- setup.exe (PID: 3736)
- Carbonate.exe (PID: 1144)
Process drops legitimate windows executable
- Carbonate-affinity.ed.tmp (PID: 3640)
- setup.exe (PID: 3736)
Reads the date of Windows installation
- setup.exe (PID: 4320)
Reads security settings of Internet Explorer
- setup.exe (PID: 4320)
INFO
Create files in a temporary directory
- Carbonate-affinity.ed.tmp (PID: 3640)
- Carbonate-affinity.ed.exe (PID: 1804)
- carbonate_mini_installer.exe (PID: 1684)
Checks supported languages
- Carbonate-affinity.ed.tmp (PID: 3640)
- Carbonate-affinity.ed.exe (PID: 1804)
- setup.exe (PID: 3736)
- CarbonateUtility.exe (PID: 4520)
- setup.exe (PID: 2744)
- CarbonateUtility.exe (PID: 6340)
Reads the computer name
- Carbonate-affinity.ed.tmp (PID: 3640)
- CarbonateUtility.exe (PID: 4520)
- setup.exe (PID: 3736)
Reads the machine GUID from the registry
- Carbonate-affinity.ed.tmp (PID: 3640)
Disables trace logs
- Carbonate-affinity.ed.tmp (PID: 3640)
Detects InnoSetup installer (YARA)
- Carbonate-affinity.ed.exe (PID: 1804)
- Carbonate-affinity.ed.tmp (PID: 3640)
Compiled with Borland Delphi (YARA)
- Carbonate-affinity.ed.exe (PID: 1804)
- Carbonate-affinity.ed.tmp (PID: 3640)
Reads the software policy settings
- Carbonate-affinity.ed.tmp (PID: 3640)
The sample compiled with english language support
- carbonate_mini_installer.exe (PID: 1684)
- setup.exe (PID: 3736)
Checks proxy server information
- Carbonate-affinity.ed.tmp (PID: 3640)
- CarbonateUtility.exe (PID: 4520)
Creates files or folders in the user directory
- setup.exe (PID: 3736)
- setup.exe (PID: 4320)
- CarbonateUtility.exe (PID: 4520)
- Carbonate-affinity.ed.tmp (PID: 3640)
Creates files in the program directory
- CarbonateUtility.exe (PID: 4520)
Process checks computer location settings
- CarbonateUtility.exe (PID: 6340)
Application launched itself
- msedge.exe (PID: 936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:04:14 16:10:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 382976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.12.0.0 |
| ProductVersionNumber: | 1.12.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Carbonate |
| FileDescription: | Carbonate Setup |
| FileVersion: | 1.12.0 |
| LegalCopyright: | Carbonate |
| OriginalFileName: | |
| ProductName: | Carbonate |
| ProductVersion: | 1.12.0/d92fb84/2024-12-13T15:13:26+00:00/prod |
Total processes
156
Monitored processes
28
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 396 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4300 --field-trial-handle=2516,i,8240087347381831033,3930749339643489084,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 936 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://carbonatebrowser.com/ty/thank-you?guid=22724f61-0d2b-42e1-afdd-e91ee506adb2&ext.id=&ext.version=1.12.0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | CarbonateUtility.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1144 | "C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\carbonate.exe" --start-maximized https://tab.carbonatebrowser-site.com/247/affinity/index.html?firstNT=true&guid=22724f61-0d2b-42e1-afdd-e91ee506adb2&version=1.12.0&vertical=Carbonate&version=1.12.0 | C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\Carbonate.exe | — | CarbonateUtility.exe | |||||||||||
User: admin Company: The Carbonate Authors Integrity Level: MEDIUM Description: Carbonate Version: 126.1.12.78 Modules
| |||||||||||||||
| 1684 | "C:\Users\admin\AppData\Local\Temp\carbonate_mini_installer.exe" /silent --do-not-launch-chrome --version="1.12.0" | C:\Users\admin\AppData\Local\Temp\carbonate_mini_installer.exe | Carbonate-affinity.ed.tmp | ||||||||||||
User: admin Company: The Carbonate Authors Integrity Level: MEDIUM Description: Carbonate Installer Exit code: 0 Version: 126.1.12.78 Modules
| |||||||||||||||
| 1804 | "C:\Users\admin\AppData\Local\Temp\Carbonate-affinity.ed.exe" | C:\Users\admin\AppData\Local\Temp\Carbonate-affinity.ed.exe | explorer.exe | ||||||||||||
User: admin Company: Carbonate Integrity Level: MEDIUM Description: Carbonate Setup Exit code: 0 Version: 1.12.0 Modules
| |||||||||||||||
| 2072 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7ff8216a5fd8,0x7ff8216a5fe4,0x7ff8216a5ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2460 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4960 --field-trial-handle=2516,i,8240087347381831033,3930749339643489084,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2744 | C:\Users\admin\AppData\Local\Temp\CR_47753.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Carbonate\Carbonate\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Carbonate --annotation=ver=126.1.12.78 --initial-client-data=0x2b0,0x2b4,0x2b8,0x230,0x2bc,0x7ff70d14e460,0x7ff70d14e46c,0x7ff70d14e478 | C:\Users\admin\AppData\Local\Temp\CR_47753.tmp\setup.exe | — | setup.exe | |||||||||||
User: admin Company: The Carbonate Authors Integrity Level: MEDIUM Description: Carbonate Installer Exit code: 0 Version: 126.1.12.78 Modules
| |||||||||||||||
| 3620 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4188 --field-trial-handle=2516,i,8240087347381831033,3930749339643489084,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3640 | "C:\Users\admin\AppData\Local\Temp\is-EQMDH.tmp\Carbonate-affinity.ed.tmp" /SL5="$5035A,2253574,1125888,C:\Users\admin\AppData\Local\Temp\Carbonate-affinity.ed.exe" | C:\Users\admin\AppData\Local\Temp\is-EQMDH.tmp\Carbonate-affinity.ed.tmp | Carbonate-affinity.ed.exe | ||||||||||||
User: admin Company: Carbonate Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
7 392
Read events
7 253
Write events
139
Delete events
0
Modification events
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (3640) Carbonate-affinity.ed.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Carbonate-affinity_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
249
Suspicious files
68
Text files
24
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Temp\carbonate_mini_installer.exe | — | |
MD5:— | SHA256:— | |||
| 1684 | carbonate_mini_installer.exe | C:\Users\admin\AppData\Local\Temp\CR_47753.tmp\CHROME.PACKED.7Z | — | |
MD5:— | SHA256:— | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Temp\is-3RT2H.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Temp\is-3RT2H.tmp\downloader.dll | executable | |
MD5:5229B13F73B5BF037392567DF56837C4 | SHA256:6E6DC72BF04269A03382C68D328D30CC930FE9C7F9B1BC1F713606CCDDCAD39E | |||
| 1684 | carbonate_mini_installer.exe | C:\Users\admin\AppData\Local\Temp\CR_47753.tmp\SETUP.EX_ | compressed | |
MD5:37629824CF9A1FE9BD47EA2264DC94D5 | SHA256:5D99F86DE4474B4B24A1B6DC0EAC38D2AE5F7D717040451A2901E122692B0143 | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Temp\carbonate_lp_params.json | binary | |
MD5:B96F6C0705D0D367444C6E50094585D5 | SHA256:0164D01946A1077CA2E4B0A94D797BCCABCF4DEB71E15F26F0E03CA75493AE0D | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\Utility\is-AOJMV.tmp | xml | |
MD5:9EC6C63C3730A04FBAC20825ADF7AC41 | SHA256:FBD807FC9B1CB14C3C2755720A2B86C86C0BCDE1AEC3177215D5E838054DD969 | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\unins000.exe | executable | |
MD5:3633FB89FFC22D5A02AF184ED06C7BCB | SHA256:C09E2D032A08A5DE95C6D62B0EFE83639661DF9D6755EDB1FE009699F836D78A | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\Utility\CarbonateUtility.exe.config | xml | |
MD5:9EC6C63C3730A04FBAC20825ADF7AC41 | SHA256:FBD807FC9B1CB14C3C2755720A2B86C86C0BCDE1AEC3177215D5E838054DD969 | |||
| 3640 | Carbonate-affinity.ed.tmp | C:\Users\admin\AppData\Local\Carbonate\Carbonate\Application\Utility\is-AFKOJ.tmp | executable | |
MD5:FF34978B62D5E0BE84A895D9C30F99AE | SHA256:80678203BD0203A6594F4E330B22543C0DE5059382BB1C9334B7868B8F31B1BC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
37
DNS requests
21
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5064 | SearchApp.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7104 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7104 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6640 | backgroundTaskHost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3640 | Carbonate-affinity.ed.tmp | 3.223.59.90:443 | analytics.carbonatebrowser-api.com | AMAZON-AES | US | unknown |
1200 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3640 | Carbonate-affinity.ed.tmp | 3.212.215.221:443 | lpservices.carbonatebrowser.com | AMAZON-AES | US | unknown |
3000 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3640 | Carbonate-affinity.ed.tmp | 54.163.176.50:443 | downloads.carbonatebrowser-api.com | AMAZON-AES | US | unknown |
5064 | SearchApp.exe | 92.123.104.19:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5064 | SearchApp.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
3640 | Carbonate-affinity.ed.tmp | 169.150.247.37:443 | bunnycdn.carbonatebrowser.com | — | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
analytics.carbonatebrowser-api.com |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
lpservices.carbonatebrowser.com |
| unknown |
downloads.carbonatebrowser-api.com |
| unknown |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
bunnycdn.carbonatebrowser.com |
| unknown |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |