File name:

DroidCam.Setup.6.5.2.exe

Full analysis: https://app.any.run/tasks/6c99ba1e-f745-491a-a78e-dba14213531d
Verdict: Malicious activity
Analysis date: September 30, 2024, 17:44:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

D952D907646A522CAF6EC5D00D114CE1

SHA1:

75AD9BACB60DED431058A50A220E22A35E3D03F7

SHA256:

F92AD1E92780A039397FD62D04AFFE97F1A65D04E7A41C9B5DA6DD3FD265967E

SSDEEP:

393216:oZsfK4YUD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzpC4:gsfKPUD1kS7249O3cDGvClnlC4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 5116)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Executable content was dropped or overwritten

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 1940)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5328)
      • drvinst.exe (PID: 5756)

    • Process drops legitimate windows executable

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)

    • Application launched itself

      • vc_redist.x86.exe (PID: 2092)

    • Executing commands from a ".bat" file

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Drops a system driver (possible attempt to evade defenses)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • insdrv.exe (PID: 1940)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5328)
      • drvinst.exe (PID: 5084)
      • drvinst.exe (PID: 5756)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1568)
      • regsvr32.exe (PID: 3528)
      • drvinst.exe (PID: 1220)

    • Reads security settings of Internet Explorer

      • insdrv.exe (PID: 1940)

    • Checks Windows Trust Settings

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)

    • Creates files in the driver directory

      • drvinst.exe (PID: 5084)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1220)

    • Starts CMD.EXE for commands execution

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Searches for installed software

      • vc_redist.x86.exe (PID: 3832)

  • INFO

    • Checks supported languages

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 2092)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 1220)

    • Reads the computer name

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 2092)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 1220)
      • drvinst.exe (PID: 5084)

    • Creates files in the program directory

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Create files in a temporary directory

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)

    • Reads the machine GUID from the registry

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)

    • Reads the software policy settings

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:24 06:35:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x31bb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
17
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start droidcam.setup.6.5.2.exe vc_redist.x86.exe no specs vc_redist.x86.exe cmd.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe droidcam.setup.6.5.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1220DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:c14ce8845b5e8bf3:DroidCamVideo.Device:21.4.1.0:droidcamvideo," "41e7d49db" "00000000000001D8"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1568 /s "DroidCamFilter64.ax"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1940"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +vC:\Program Files (x86)\DroidCam\lib\insdrv.exe
DroidCam.Setup.6.5.2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\droidcam\lib\insdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quietC:\Program Files (x86)\DroidCam\vc_redist.x86.exeDroidCam.Setup.6.5.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
Modules
Images
c:\program files (x86)\droidcam\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3528regsvr32 /s "DroidCamFilter32.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3832"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{D80CE499-4FAB-46A7-8609-E6ECBCAE39DB} {7E102BB1-E79F-489D-8386-DF5A0D181DFB} 2092C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
vc_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
Modules
Images
c:\program files (x86)\droidcam\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4160regsvr32 /s "DroidCamFilter64.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4284"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\droidcam.setup.6.5.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4544"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\droidcam.setup.6.5.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
16 601
Read events
15 222
Write events
1 368
Delete events
11

Modification events

(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FriendlyName
Value:
DroidCam Source 2
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:CLSID
Value:
{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FilterData
Value:
02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000AA00389B7100000000000000000000000000000000
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FriendlyName
Value:
DroidCam Source 2
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:CLSID
Value:
{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FilterData
Value:
02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000AA00389B7100000000000000000000000000000000
(PID) Process:(4544) DroidCam.Setup.6.5.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:DevicePath
Value:
droidcam:2
(PID) Process:(4544) DroidCam.Setup.6.5.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:DevicePath
Value:
droidcam:2
Executable files
34
Suspicious files
14
Text files
47
Unknown types
2

Dropped files

PID
Process
Filename
Type
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\adb.exeexecutable
MD5:3CB9F5E6FA7F2B9949F375F7F7AB2586
SHA256:634AB9882B5427A245BD139E5B7A2B5D10B24C4B50506257B5404C01882CCC02
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\DroidCamApp.exeexecutable
MD5:F8C12FC1B20887FDB70C7F02F0D7BFB3
SHA256:082F5C3FD2FD80505CBD4DBDBB7C50E83C2E81F033A04EA53832DBF0A3FC4933
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\nsDialogs.dllexecutable
MD5:12465CE89D3853918ED3476D70223226
SHA256:5157FE688CCA27D348171BD5A8B117DE348C0844CA5CB82BC68CBD7D873A3FDC
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dllexecutable
MD5:0E24119DAF1909E398FA1850B6112077
SHA256:25207C506D29C4E8DCEB61B4BD50E8669BA26012988A43FBF26A890B1E60FC97
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\plist.dllexecutable
MD5:AB595BC9A0F6F0D00B1F50A7E81AC5FB
SHA256:0A1E27CED2F8CE0314353C82F30EE8140FDE2E2725C4276390922930AAFCA773
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1041\license.rtftext
MD5:0D9DD57746D5609494B35314FA88FD93
SHA256:AC0D8E0EAAB1875909A6A6F106A37CD7468F87F71887A44263F5F0178F99C40B
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1036\license.rtftext
MD5:6F70759DF32F212DBB65464258ECEEAF
SHA256:C7F03DA5D9A7F689B8DCBD507FF0B3FA98DABA55616F902E5E47E9839B753E1F
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1040\license.rtftext
MD5:1D07E27F97CE22A58780A04227BE6465
SHA256:F1214784C57AA3323426AF64D132045970717994EBA500B25283684DC1ADEBAA
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1028\license.rtftext
MD5:EFA0E0316DBE1D01B04DB8AE55216E89
SHA256:D5147EE2BA7826D5B68E0DC10FC2AC95079F89C38264C5648D924DEC9290D085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1932
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.189.173.26:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1932
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
20.189.173.26:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
browser.pipe.aria.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DroidCam.Setup.6.5.2.exe