f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

Analysis

max time kernel
19s
max time network
32s
platform
windows7_x64
resource
win7-20231129-es
resource tags

arch:x64arch:x86image:win7-20231129-eslocale:es-esos:windows7-x64systemwindows
submitted
20-02-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DroidCam.Setup.6.5.2.exe
Size

15.6MB
MD5

d952d907646a522caf6ec5d00d114ce1
SHA1

75ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256

f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA512

3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe
SSDEEP

393216:oZsfK4YUD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzpC4:gsfKPUD1kS7249O3cDGvClnlC4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET5FEB.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET5FEB.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\droidcam.sys	DrvInst.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F80.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\droidcam.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	insdrv.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	insdrv.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	insdrv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\droidcam.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F80.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F81.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\droidcam.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F81.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\SET3F82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DroidCam\lib\insdrv.exe	DroidCam.Setup.6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.sys	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dll	DroidCam.Setup.6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\vc_redist.x86.exe	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.inf	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\libwinpthread-1.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\vc_redist.x86.exe	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\usbmuxd.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Licence.txt	DroidCam.Setup.6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.cat	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\adb.exe	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\install.bat	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.cat	DroidCam.Setup.6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.inf	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\avcodec-58.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\loading.gif	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Toggle HD Mode.lnk	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\With Stats.lnk	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\AdbWinApi.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\DroidCamApp.exe	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.sys	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\plist.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\swscale-5.dll	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Uninstall.exe	DroidCam.Setup.6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\avutil-56.dll	DroidCam.Setup.6.5.2.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\volsnap.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\wdmaudio.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\ksfilter.PNF	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	insdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	insdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\ks.PNF	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2636	vc_redist.x86.exe
2700	vc_redist.x86.exe
972	insdrv.exe

Loads dropped DLL 17 IoCs

pid	Process
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2636	vc_redist.x86.exe
2700	vc_redist.x86.exe
1472	regsvr32.exe
2600	regsvr32.exe
2704	regsvr32.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
1380	Process not Found
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe
2220	DroidCam.Setup.6.5.2.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C}	DroidCam.Setup.6.5.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2"	DroidCam.Setup.6.5.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C}	DroidCam.Setup.6.5.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter32.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2"	DroidCam.Setup.6.5.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeRestorePrivilege	928	rundll32.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeBackupPrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1268	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	972	insdrv.exe
Token: SeLoadDriverPrivilege	972	insdrv.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeRestorePrivilege	1884	DrvInst.exe
Token: SeLoadDriverPrivilege	1884	DrvInst.exe
Token: SeLoadDriverPrivilege	1884	DrvInst.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2220 wrote to memory of 2636	2220	DroidCam.Setup.6.5.2.exe	28
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2636 wrote to memory of 2700	2636	vc_redist.x86.exe	29
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 2220 wrote to memory of 968	2220	DroidCam.Setup.6.5.2.exe	31
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 1472	968	cmd.exe	32
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 968 wrote to memory of 2600	968	cmd.exe	33
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2600 wrote to memory of 2704	2600	regsvr32.exe	34
PID 2220 wrote to memory of 972	2220	DroidCam.Setup.6.5.2.exe	36
PID 2220 wrote to memory of 972	2220	DroidCam.Setup.6.5.2.exe	36
PID 2220 wrote to memory of 972	2220	DroidCam.Setup.6.5.2.exe	36
PID 2220 wrote to memory of 972	2220	DroidCam.Setup.6.5.2.exe	36
PID 1268 wrote to memory of 928	1268	DrvInst.exe	38
PID 1268 wrote to memory of 928	1268	DrvInst.exe	38
PID 1268 wrote to memory of 928	1268	DrvInst.exe	38
PID 2376 wrote to memory of 2548	2376	chrome.exe	44
PID 2376 wrote to memory of 2548	2376	chrome.exe	44
PID 2376 wrote to memory of 2548	2376	chrome.exe	44
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46
PID 2376 wrote to memory of 2600	2376	chrome.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DroidCam.Setup.6.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\DroidCam.Setup.6.5.2.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
  "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
    "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{9F713AEF-3059-48C0-98B4-A3F70EAEEB3E} {2CE3069D-5CCB-49B2-B920-2828A0C60657} 2636
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c install.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "DroidCamFilter32.ax"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1472
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "DroidCamFilter64.ax"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\regsvr32.exe
      /s "DroidCamFilter64.ax"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2704
- C:\Program Files (x86)\DroidCam\lib\insdrv.exe
  "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{44333efa-06b8-17f7-3b9e-073c47ff140c}\droidcam.inf" "9" "6e67c8bbf" "00000000000005AC" "WinSta0\Default" "00000000000003A4" "208" "c:\program files (x86)\droidcam\lib"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6d86edcb-cca0-5316-21d2-245721d22457} Global\{5ca8b010-9944-20b5-4b19-29424e43b464} C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\droidcam.inf C:\Windows\System32\DriverStore\Temp\{43b04ca1-687d-714c-6e47-834c91f25331}\droidcam.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "00000000000005C8"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "droidcam.inf:MicrosoftDS.NTAMD64:DroidCam_PCMEX:1.0.0.1:droidcam" "6e67c8bbf" "00000000000005AC" "00000000000005C0" "00000000000005C8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef60b9758,0x7fef60b9768,0x7fef60b9778
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1032 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2976 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3876 --field-trial-handle=1228,i,4359108815966577232,17610878201708739264,131072 /prefetch:1
  2⤵
  PID:3044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax

Filesize
84KB

MD5
efe71ae8a02ca59a0855cd649f5e58b8

SHA1
0a5ba3257ad82f71890c0fa55a5f7405d0b6b4ac

SHA256
ffb22ab7b98ecc98c22cf675bfab61c875127137277e1f66bc3d7269c3b42652

SHA512
bad93c560355019f739158d2a25e7643a08cdcb000b378099aa2431ba4d023aa72741e674912d738b0ac6d21e44417f5406eee67f16035f6a783a5226b0d65a4

Download Submit
C:\Program Files (x86)\DroidCam\lib\insdrv.exe

Filesize
13KB

MD5
fdabbeb1ee62a56fb695ca6e8ad3d4a1

SHA1
2c8851470a122da74de43de371c94c39befa0696

SHA256
d18438bf03d25002e5aa161669a7cb01d0b2c83d2fa5dc2f9217c3b656eb6b9f

SHA512
97e42153bd5ce9bffdf166630dd677bc1e4945d24cb732dcaa616563b892046d4b9a70d556a9bf907947a8bfcf1c28edbd2dac11bfa4bf40a14db3399e6420d9

Download Submit
C:\Program Files (x86)\DroidCam\lib\install.bat

Filesize
254B

MD5
cfaaa32cc4fd40e36512f768bd75a0e1

SHA1
6ed1063ab547f65aace2fd98713df6d29834c19a

SHA256
d7b86a37b02fed2794904cb28c0fa64a1e0d2218fab608250c8531c1b9ddc439

SHA512
d2fe74d8e10b6378c48b72c9e22515a31592859d1f725bc86d9e48fcce9f7421e7afe477feb1c2041ff46b2620ad4244c887c670dc25e8acd70029e2166a0a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1DFD.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF

Filesize
10KB

MD5
8aae3dd1fc84a75eb5baa65e67d191f4

SHA1
d10e9225ff52b9ab8587c3565678fd4f5b4ade44

SHA256
4cd6d7f9ef579fc74cc966208093791fbbf9bce229fb9bb35e89623a6fa249d0

SHA512
79c898dae70a5a4c95c9a66be5e34569bfefe399009558ed8549180c951faa3bbc1d55e86e79f17eacc7c0c97b586d5b91425e16992db1554cac8dccaaad3d4c

Download Submit
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF

Filesize
5KB

MD5
5e961b1e105c3b3e61e882a553bf5355

SHA1
a5410576b80da1982c64fd9bb81b85f6bc7cd12d

SHA256
1b68210cf77bbf95273c182120e0e38bc6750b361a5c2725319afb753dcfc0d1

SHA512
943d43bb77968c9d1df98076ec4a344c01596b2ae7771ce37dd10389ff96eadca91412106f404da5b54fb345d6e0e845259c8cec4537ff4d23c46a5a4e8d756a

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
ca48e0062a75bb3a2cf99aa61fcc06ec

SHA1
f9d71ff11950a25ed68329aa91701664ca41735b

SHA256
07d2293fa04b694f9daa1b099cf89e091a775733dd6cc0717938e9009c3ab424

SHA512
83f67f7f40ec81d29f00997300306cb96aaa90b95212a82daff0e2d97e23108ada547559f0dff12792f3263ad2656c0e5364f80ecc0a0e5da07df02f4ff61465

Download Submit
C:\Windows\Temp\Cab3FA1.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar3FB4.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\c:\PROGRA~2\droidcam\lib\droidcam.sys

Filesize
30KB

MD5
65f3e2bdb187ef73ce65b92c770594dd

SHA1
514f571ed0f89e50b53909e3f9550cad6107ceea

SHA256
13d6fb4d2284ec6b138740aaef4c7f6ac82e78d59891f4e51c8656f05150db8e

SHA512
2b5def159bd09b20cbcd03de3d2973c1fd216b35de71006c3077aeeddb71165075545941ebd53807fdd5cf682ec3eaadaeab9504b55a85c895cc1b811cf1a0c0

Download Submit
\??\c:\program files (x86)\droidcam\lib\droidcam.cat

Filesize
9KB

MD5
f6e94e3d7d3fe771b1933e06b7ba79b5

SHA1
65da1b5ab85f7b60f88c92101fdf95bfc7fe3931

SHA256
2a6124f7df464a02fc560cdf982eb3a65793e0c9252b361ec1e386bf4f63b60c

SHA512
45cc73010f8b3b638ce7349179a1a603ec009d0ce1066beafa03cc85c3a5a055c6430e50b9e298411d8dd617b698fd49364f8491ac95768a0a91c01c9e4390d4

Download Submit
\??\c:\program files (x86)\droidcam\lib\droidcam.inf

Filesize
2KB

MD5
aed4aa73848bd3423c170bf58f8febfa

SHA1
dfac68f7df29410357c00effee42e40bd0491167

SHA256
1cd87356a573e9def505dc8cc5e9f682e3cceecf499f50007b85def3c842b630

SHA512
4a9900d422447c59342c88e164d81c4187743e63eb5f993800311397bbdf43bea90e456b720fcd3e679bf029be70220e0b89c60d2717bf278d76c1049d921bfa

Download Submit
\Program Files (x86)\DroidCam\DroidCamApp.exe

Filesize
942KB

MD5
f8c12fc1b20887fdb70c7f02f0d7bfb3

SHA1
28d18fd281e17c919f81eda3a2f0d8765f57049f

SHA256
082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933

SHA512
97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f

Download Submit
\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax

Filesize
157KB

MD5
78022c387da1e93dc0442b656837953e

SHA1
e2adf94ec9854e7e57ec0c885a67aa2b9444b233

SHA256
c85b89c5d77a8b41b1a8213783f3ebfcc2fbed959149c5e5ed0f48204d9c4d09

SHA512
1673125e743874f2ff155a0ea2aaeb31b1aac013a8db2995752f0fbcd6794d41a8f75a7acfeeec6e91e4954423304f9c5d876638a528845054496100e700a539

Download Submit
\Program Files (x86)\DroidCam\vc_redist.x86.exe

Filesize
13.1MB

MD5
1a15e6606bac9647e7ad3caa543377cf

SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1

SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1DFD.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1DFD.tmp\nsDialogs.dll

Filesize
9KB

MD5
12465ce89d3853918ed3476d70223226

SHA1
4c9f4b8b77a254c2aeace08c78c1cffbb791640d

SHA256
5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc

SHA512
20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1DFD.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/928-206-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download