Malware Analysis Report

2025-08-11 06:03

Sample ID 240222-xhdc8sdh4y
Target obs-virtualcam-2.0.11-windows-x64-Installer.exe
SHA256 304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451

Threat Level: Shows suspicious behavior

The file obs-virtualcam-2.0.11-windows-x64-Installer.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:50

Reported

2024-02-22 18:53

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\ = "OBS-Audio" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\CLSID = "{B750E5CD-5E7E-4ED3-B675-A5003C439997}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FriendlyName = "OBS-Camera" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\CLSID = "{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\ = "OBS-Camera" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FriendlyName = "OBS-Audio" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b715955593200001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2160 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 2220 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe

"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$400EE,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"

Network

N/A

Files

memory/2160-1-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

MD5 6dd1b17b4ef0d27c0fe9517fb952ec54
SHA1 45aeed41983c8aff9a48b37581d96af56cb8d826
SHA256 966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1
SHA512 e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf

memory/2220-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2160-12-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2220-13-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

MD5 b1b6486bc0da2577ce1e63af547007be
SHA1 32aa84dcd757bd3cfe9eb89ff17bfeadaa9f6d6d
SHA256 05d2bddb1b87d2e467b6fbba34372cbcb42a957c214cd4999350d698c05a2dbf
SHA512 cefa4dc646982156d88998f6f6763005bf28d14e6a29a13c15b19a228715f33dad09e06dbad3ba8ea4b6e3ebd34f16a4f9f60ad262142d57c9fbfa43405808ad

\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\unins000.exe

MD5 b69fef98a662f1caf57355cdf4382083
SHA1 e346aadda239282ef04ad6ddedbe3f596be190a7
SHA256 d700b1e4bc69c497558d6e649a35abcbfdbd51504f145473a9a6a5d03145caa6
SHA512 a019504111d2c6691f472223008f9d56a1e6313f3937d1dce5af79728f8d75f0646559c5307f6f35c5e3a1066afd245d6ad6da66526e162d10da4fb02bff3c74

\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

MD5 5906023042c6305c61847b19025b49d4
SHA1 e4a7ba8c640e5215759b46e9ad101daa153a0bcd
SHA256 78be99ea912020fc55b77134b1ec3b17a4f18eacf8253dffdef3bc7245393d07
SHA512 2a6d6b0ac519b9500ebf8ab51aae3b5e097282e350ffa8fb2e1fae7f6f729bf57a5a828d29349004d3237d6c788841e893b0d6fcb6349819af25fc1a6d90a38f

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

MD5 c35c65fec37494d7ef13a15107d1bb06
SHA1 39cba714c5dd2ce276a54f7db18e0c07d0685edf
SHA256 5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a
SHA512 d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53

\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll

MD5 1798de9667da8cc68fdd18894542356c
SHA1 902430f76a0cb7238c87df1b21fbf2180f45b1bb
SHA256 5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51
SHA512 3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f

\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll

MD5 07dca43200ff802bab43fd63f68e98c7
SHA1 f06a38d1149a274be8c2da7d385c422fb163e1f9
SHA256 abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e
SHA512 21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll

MD5 293966206dbad1c9aa227e3067bc3278
SHA1 9964d08cc590be9f45897d2833f08cfdda137dec
SHA256 2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10
SHA512 a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd

memory/2220-53-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2160-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 18:50

Reported

2024-02-22 18:53

Platform

win10v2004-20240221-en

Max time kernel

91s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FriendlyName = "OBS-Audio" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\CLSID = "{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\ = "OBS-Audio" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\ = "OBS-Camera" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b715955593200001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\CLSID = "{B750E5CD-5E7E-4ED3-B675-A5003C439997}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FriendlyName = "OBS-Camera" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2704 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 2704 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
PID 3404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe
PID 3404 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe

"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$900F0,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp

Files

memory/2704-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2704-2-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

MD5 6dd1b17b4ef0d27c0fe9517fb952ec54
SHA1 45aeed41983c8aff9a48b37581d96af56cb8d826
SHA256 966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1
SHA512 e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf

memory/3404-6-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/2704-10-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3404-11-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3404-14-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/3404-16-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll

MD5 07dca43200ff802bab43fd63f68e98c7
SHA1 f06a38d1149a274be8c2da7d385c422fb163e1f9
SHA256 abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e
SHA512 21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll

MD5 1798de9667da8cc68fdd18894542356c
SHA1 902430f76a0cb7238c87df1b21fbf2180f45b1bb
SHA256 5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51
SHA512 3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

MD5 c35c65fec37494d7ef13a15107d1bb06
SHA1 39cba714c5dd2ce276a54f7db18e0c07d0685edf
SHA256 5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a
SHA512 d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53

C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll

MD5 293966206dbad1c9aa227e3067bc3278
SHA1 9964d08cc590be9f45897d2833f08cfdda137dec
SHA256 2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10
SHA512 a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd

memory/3404-55-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2704-56-0x0000000000400000-0x00000000004D8000-memory.dmp