| File name: | obs-virtualcam-2.0.5-Windows-installer.exe |
| Full analysis: | https://app.any.run/tasks/29987643-76c5-4e60-b4a8-bea6114b2416 |
| Verdict: | Malicious activity |
| Analysis date: | May 31, 2024, 21:40:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | EDE147E213E56844253030AAD616C26A |
| SHA1: | 5126199324484BA4D536D466324B75928C7C1A9A |
| SHA256: | AAE3B5FF00D18C0268799C4AD8B58F985E9BC281A08806398D771E62930AD514 |
| SSDEEP: | 24576:58mjUvtn1AKorI7yOqn5StbqEImeEP6TI6NPM9vRZ9vXCDk20NK/j7Vum6xP7qEJ:58mjytn1AKorI2Oqn5StbqZmeo6TI6Ny |
MALICIOUS
Drops the executable file immediately after the start
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Registers / Runs the DLL via REGSVR32.EXE
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
The process creates files with name similar to system file names
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Creates a software uninstall entry
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Executable content was dropped or overwritten
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
INFO
Checks supported languages
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Reads the computer name
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Creates files in the program directory
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Create files in a temporary directory
- obs-virtualcam-2.0.5-Windows-installer.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:12:16 00:50:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25600 |
| InitializedDataSize: | 141824 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x33c4 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 864 | C:\Windows\system32\regsvr32.exe /s /n /i:1 "C:\Program Files\obs-studio\bin\64bit\obs-virtualsource.dll" | C:\Windows\System32\regsvr32.exe | — | obs-virtualcam-2.0.5-Windows-installer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3984 | "C:\Users\admin\AppData\Local\Temp\obs-virtualcam-2.0.5-Windows-installer.exe" | C:\Users\admin\AppData\Local\Temp\obs-virtualcam-2.0.5-Windows-installer.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 4088 | "C:\Users\admin\AppData\Local\Temp\obs-virtualcam-2.0.5-Windows-installer.exe" | C:\Users\admin\AppData\Local\Temp\obs-virtualcam-2.0.5-Windows-installer.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
2 379
Read events
2 377
Write events
2
Delete events
0
Modification events
| (PID) Process: | (4088) obs-virtualcam-2.0.5-Windows-installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\obs-virtualcam |
| Operation: | write | Name: | DisplayName |
Value: obs-virtualcam | |||
| (PID) Process: | (4088) obs-virtualcam-2.0.5-Windows-installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\obs-virtualcam |
| Operation: | write | Name: | UninstallString |
Value: C:\Program Files\obs-studio\uninstall_obs-virtualcam.exe | |||
Executable files
9
Suspicious files
3
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Users\admin\AppData\Local\Temp\nsk36B3.tmp\ioSpecial.ini | ini | |
MD5:E2D5070BC28DB1AC745613689FF86067 | SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\bin\64bit\obs-virtualsource.dll | executable | |
MD5:4CA8A209DD382063BD9BB175B7EE4F92 | SHA256:720E6AC6810A42F2037051C40595E38C1BF4BF93C4181CA780604D43D618C5A4 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Users\admin\AppData\Local\Temp\nsk36B3.tmp\InstallOptions.dll | executable | |
MD5:09D8971BEEFEFFFD710030DD167A99E0 | SHA256:CAF64A4E9449220BA618A9AA2AE4ED3774C5D0F193BDA44BE22676C27AE0EC95 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\obs-plugins\64bit\obs-virtualoutput.pdb | binary | |
MD5:44F2725D0030661F243403E9332CE4E1 | SHA256:756728281723DA2BCBED88074D3722B58DE7156B9AF27BD90EAE1023D0655B95 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\data\obs-plugins\obs-virtualoutput\avutil-56.dll | executable | |
MD5:E21468D5A285DB10BBBA3184BA0D786C | SHA256:F0D7C0B179EEF1E361DB486B22B8D5BF1388609B998305293FDD3DC3B394A0E7 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\data\obs-plugins\obs-virtualoutput\locale\zh-CN.ini | text | |
MD5:A23DD8C60F8CC41E8DC344E5213F4DDE | SHA256:2484685E04FEE97A848A7DF0D70076DA0093770ED0FFE5055983B77D83C75B7A | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\data\obs-plugins\obs-virtualoutput\obs-virtualsource.pdb | binary | |
MD5:AD9DFB9B80CFE7D0B13BA24A572646FB | SHA256:00FB6BBC18B74882417158741068866066BE4D78AD09C9AF96148E9DE9233155 | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\bin\64bit\obs-virtualsource.pdb | binary | |
MD5:7F9E7456C00447FDEA9DA8F011437412 | SHA256:1FC951C11D9D76CA1B31A954D53CF632EFD5216860133719A9E4397838208C3A | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\data\obs-plugins\obs-virtualoutput\locale\fr-FR.ini | text | |
MD5:A4E117B406D6AFD5ADFA95C4851AE1B7 | SHA256:F4E4BE2F694C4C3B9225CE314610BE3D248C98B2B476D42E947FDE48CE67ADED | |||
| 4088 | obs-virtualcam-2.0.5-Windows-installer.exe | C:\Program Files\obs-studio\data\obs-plugins\obs-virtualoutput\obs-virtualsource.dll | executable | |
MD5:BACDB4D6FD6EEF1611DFB9E706CA6F4E | SHA256:ADDF3509D865E6BB4EF6925A1242799D9393A2F5A24EC97BDAFEE020DD307E3B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |