File name:

DroidCam.Setup.6.5.2.exe

Full analysis: https://app.any.run/tasks/6c99ba1e-f745-491a-a78e-dba14213531d
Verdict: Malicious activity
Analysis date: September 30, 2024, 17:44:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

D952D907646A522CAF6EC5D00D114CE1

SHA1:

75AD9BACB60DED431058A50A220E22A35E3D03F7

SHA256:

F92AD1E92780A039397FD62D04AFFE97F1A65D04E7A41C9B5DA6DD3FD265967E

SSDEEP:

393216:oZsfK4YUD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzpC4:gsfKPUD1kS7249O3cDGvClnlC4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 5116)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • The process creates files with name similar to system file names

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Process drops legitimate windows executable

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)

    • Executable content was dropped or overwritten

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 1940)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5328)
      • drvinst.exe (PID: 5756)

    • Application launched itself

      • vc_redist.x86.exe (PID: 2092)

    • Searches for installed software

      • vc_redist.x86.exe (PID: 3832)

    • Executing commands from a ".bat" file

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Starts CMD.EXE for commands execution

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3528)
      • regsvr32.exe (PID: 1568)
      • drvinst.exe (PID: 1220)

    • Drops a system driver (possible attempt to evade defenses)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5328)
      • drvinst.exe (PID: 5756)

    • Reads security settings of Internet Explorer

      • insdrv.exe (PID: 1940)

    • Checks Windows Trust Settings

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)

    • Creates files in the driver directory

      • drvinst.exe (PID: 5084)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1220)

  • INFO

    • Checks supported languages

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 2092)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 1220)

    • Reads the computer name

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • vc_redist.x86.exe (PID: 2092)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 1220)
      • drvinst.exe (PID: 5084)

    • Creates files in the program directory

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Create files in a temporary directory

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)

    • Reads the software policy settings

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 1940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:24 06:35:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x31bb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
17
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start droidcam.setup.6.5.2.exe vc_redist.x86.exe no specs vc_redist.x86.exe cmd.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe droidcam.setup.6.5.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1220DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:c14ce8845b5e8bf3:DroidCamVideo.Device:21.4.1.0:droidcamvideo," "41e7d49db" "00000000000001D8"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1568 /s "DroidCamFilter64.ax"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1940"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +vC:\Program Files (x86)\DroidCam\lib\insdrv.exe
DroidCam.Setup.6.5.2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2092"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quietC:\Program Files (x86)\DroidCam\vc_redist.x86.exeDroidCam.Setup.6.5.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3528regsvr32 /s "DroidCamFilter32.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3832"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{D80CE499-4FAB-46A7-8609-E6ECBCAE39DB} {7E102BB1-E79F-489D-8386-DF5A0D181DFB} 2092C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
vc_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
4160regsvr32 /s "DroidCamFilter64.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4284"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
4544"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
34
Suspicious files
14
Text files
47
Unknown types
2

Dropped files

PID
Process
Filename
Type
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\System.dllexecutable
MD5:C9473CB90D79A374B2BA6040CA16E45C
SHA256:B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\plist.dllexecutable
MD5:AB595BC9A0F6F0D00B1F50A7E81AC5FB
SHA256:0A1E27CED2F8CE0314353C82F30EE8140FDE2E2725C4276390922930AAFCA773
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\usbmuxd.dllexecutable
MD5:B2DA89F5AAF0F2B85A4C41F5A7019125
SHA256:333BDA59AEA7770D4A1F7AB7A320D1B5E904B67F7C710988B5893177924A0D5F
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\AdbWinApi.dllexecutable
MD5:ED5A809DC0024D83CBAB4FB9933D598D
SHA256:D60103A5E99BC9888F786EE916F5D6E45493C3247972CB053833803DE7E95CF9
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\nsDialogs.dllexecutable
MD5:12465CE89D3853918ED3476D70223226
SHA256:5157FE688CCA27D348171BD5A8B117DE348C0844CA5CB82BC68CBD7D873A3FDC
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dllexecutable
MD5:0E24119DAF1909E398FA1850B6112077
SHA256:25207C506D29C4E8DCEB61B4BD50E8669BA26012988A43FBF26A890B1E60FC97
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\adb.exeexecutable
MD5:3CB9F5E6FA7F2B9949F375F7F7AB2586
SHA256:634AB9882B5427A245BD139E5B7A2B5D10B24C4B50506257B5404C01882CCC02
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\DroidCamApp.exeexecutable
MD5:F8C12FC1B20887FDB70C7F02F0D7BFB3
SHA256:082F5C3FD2FD80505CBD4DBDBB7C50E83C2E81F033A04EA53832DBF0A3FC4933
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\nsExec.dllexecutable
MD5:0A6F707FA22C3F3E5D1ABB54B0894AD6
SHA256:370E47364561FA501B1300B056FB53FAE12B1639FDF5F113275BEE03546081C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1932
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.189.173.26:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1932
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
20.189.173.26:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
browser.pipe.aria.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DroidCam.Setup.6.5.2.exe