File name:

DroidCam.Setup.6.5.2.exe

Full analysis: https://app.any.run/tasks/6c99ba1e-f745-491a-a78e-dba14213531d
Verdict: Malicious activity
Analysis date: September 30, 2024, 17:44:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

D952D907646A522CAF6EC5D00D114CE1

SHA1:

75AD9BACB60DED431058A50A220E22A35E3D03F7

SHA256:

F92AD1E92780A039397FD62D04AFFE97F1A65D04E7A41C9B5DA6DD3FD265967E

SSDEEP:

393216:oZsfK4YUD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzpC4:gsfKPUD1kS7249O3cDGvClnlC4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 5116)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • The process creates files with name similar to system file names

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Process drops legitimate windows executable

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)

    • Executable content was dropped or overwritten

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • drvinst.exe (PID: 5328)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5756)

    • Application launched itself

      • vc_redist.x86.exe (PID: 2092)

    • Starts CMD.EXE for commands execution

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Executing commands from a ".bat" file

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1568)
      • regsvr32.exe (PID: 3528)
      • drvinst.exe (PID: 1220)

    • Drops a system driver (possible attempt to evade defenses)

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 5328)
      • drvinst.exe (PID: 5756)

    • Reads security settings of Internet Explorer

      • insdrv.exe (PID: 1940)

    • Creates files in the driver directory

      • drvinst.exe (PID: 5084)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 1940)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1220)

    • Searches for installed software

      • vc_redist.x86.exe (PID: 3832)

  • INFO

    • Checks supported languages

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 2092)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
      • drvinst.exe (PID: 1220)

    • Reads the computer name

      • DroidCam.Setup.6.5.2.exe (PID: 4544)
      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • drvinst.exe (PID: 1220)
      • vc_redist.x86.exe (PID: 2092)

    • Creates files in the program directory

      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Create files in a temporary directory

      • vc_redist.x86.exe (PID: 3832)
      • insdrv.exe (PID: 1940)
      • DroidCam.Setup.6.5.2.exe (PID: 4544)

    • Reads the machine GUID from the registry

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)

    • Reads the software policy settings

      • insdrv.exe (PID: 1940)
      • drvinst.exe (PID: 5084)
      • insdrv.exe (PID: 5732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:24 06:35:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x31bb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
17
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start droidcam.setup.6.5.2.exe vc_redist.x86.exe no specs vc_redist.x86.exe cmd.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe no specs insdrv.exe conhost.exe no specs drvinst.exe drvinst.exe droidcam.setup.6.5.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1220DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:c14ce8845b5e8bf3:DroidCamVideo.Device:21.4.1.0:droidcamvideo," "41e7d49db" "00000000000001D8"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1568 /s "DroidCamFilter64.ax"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1940"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +vC:\Program Files (x86)\DroidCam\lib\insdrv.exe
DroidCam.Setup.6.5.2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\droidcam\lib\insdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quietC:\Program Files (x86)\DroidCam\vc_redist.x86.exeDroidCam.Setup.6.5.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
Modules
Images
c:\program files (x86)\droidcam\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3528regsvr32 /s "DroidCamFilter32.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3832"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{D80CE499-4FAB-46A7-8609-E6ECBCAE39DB} {7E102BB1-E79F-489D-8386-DF5A0D181DFB} 2092C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
vc_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
Modules
Images
c:\program files (x86)\droidcam\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4160regsvr32 /s "DroidCamFilter64.ax"C:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4284"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\droidcam.setup.6.5.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4544"C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe" C:\Users\admin\Desktop\DroidCam.Setup.6.5.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\droidcam.setup.6.5.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
16 601
Read events
15 222
Write events
1 368
Delete events
11

Modification events

(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FriendlyName
Value:
DroidCam Source 2
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:CLSID
Value:
{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
(PID) Process:(3528) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FilterData
Value:
02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000AA00389B7100000000000000000000000000000000
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FriendlyName
Value:
DroidCam Source 2
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:CLSID
Value:
{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
(PID) Process:(1568) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:FilterData
Value:
02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000AA00389B7100000000000000000000000000000000
(PID) Process:(4544) DroidCam.Setup.6.5.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:DevicePath
Value:
droidcam:2
(PID) Process:(4544) DroidCam.Setup.6.5.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}
Operation:writeName:DevicePath
Value:
droidcam:2
Executable files
34
Suspicious files
14
Text files
47
Unknown types
2

Dropped files

PID
Process
Filename
Type
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\System.dllexecutable
MD5:C9473CB90D79A374B2BA6040CA16E45C
SHA256:B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1041\license.rtftext
MD5:0D9DD57746D5609494B35314FA88FD93
SHA256:AC0D8E0EAAB1875909A6A6F106A37CD7468F87F71887A44263F5F0178F99C40B
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1028\license.rtftext
MD5:EFA0E0316DBE1D01B04DB8AE55216E89
SHA256:D5147EE2BA7826D5B68E0DC10FC2AC95079F89C38264C5648D924DEC9290D085
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\AdbWinApi.dllexecutable
MD5:ED5A809DC0024D83CBAB4FB9933D598D
SHA256:D60103A5E99BC9888F786EE916F5D6E45493C3247972CB053833803DE7E95CF9
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\DroidCamApp.exeexecutable
MD5:F8C12FC1B20887FDB70C7F02F0D7BFB3
SHA256:082F5C3FD2FD80505CBD4DBDBB7C50E83C2E81F033A04EA53832DBF0A3FC4933
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dllexecutable
MD5:0E24119DAF1909E398FA1850B6112077
SHA256:25207C506D29C4E8DCEB61B4BD50E8669BA26012988A43FBF26A890B1E60FC97
3832vc_redist.x86.exeC:\Users\admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\1040\license.rtftext
MD5:1D07E27F97CE22A58780A04227BE6465
SHA256:F1214784C57AA3323426AF64D132045970717994EBA500B25283684DC1ADEBAA
4544DroidCam.Setup.6.5.2.exeC:\Users\admin\AppData\Local\Temp\nsk6E77.tmp\nsExec.dllexecutable
MD5:0A6F707FA22C3F3E5D1ABB54B0894AD6
SHA256:370E47364561FA501B1300B056FB53FAE12B1639FDF5F113275BEE03546081C0
4544DroidCam.Setup.6.5.2.exeC:\Program Files (x86)\DroidCam\vc_redist.x86.exeexecutable
MD5:1A15E6606BAC9647E7AD3CAA543377CF
SHA256:FDD1E1F0DCAE2D0AA0720895EFF33B927D13076E64464BB7C7E5843B7667CD14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1932
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.189.173.26:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1932
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
20.189.173.26:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
browser.pipe.aria.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DroidCam.Setup.6.5.2.exe