Analysis Overview
SHA256
304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451
Threat Level: Shows suspicious behavior
The file obs-virtualcam-2.0.11-windows-x64-Installer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 18:50
Reported
2024-02-22 18:53
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\ = "OBS-Audio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\CLSID = "{B750E5CD-5E7E-4ED3-B675-A5003C439997}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FriendlyName = "OBS-Camera" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\CLSID = "{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\ = "OBS-Camera" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FriendlyName = "OBS-Audio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b715955593200001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$400EE,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"
Network
Files
memory/2160-1-0x0000000000400000-0x00000000004D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
| MD5 | 6dd1b17b4ef0d27c0fe9517fb952ec54 |
| SHA1 | 45aeed41983c8aff9a48b37581d96af56cb8d826 |
| SHA256 | 966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1 |
| SHA512 | e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf |
memory/2220-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2160-12-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2220-13-0x0000000000400000-0x000000000071C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
| MD5 | b1b6486bc0da2577ce1e63af547007be |
| SHA1 | 32aa84dcd757bd3cfe9eb89ff17bfeadaa9f6d6d |
| SHA256 | 05d2bddb1b87d2e467b6fbba34372cbcb42a957c214cd4999350d698c05a2dbf |
| SHA512 | cefa4dc646982156d88998f6f6763005bf28d14e6a29a13c15b19a228715f33dad09e06dbad3ba8ea4b6e3ebd34f16a4f9f60ad262142d57c9fbfa43405808ad |
\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\unins000.exe
| MD5 | b69fef98a662f1caf57355cdf4382083 |
| SHA1 | e346aadda239282ef04ad6ddedbe3f596be190a7 |
| SHA256 | d700b1e4bc69c497558d6e649a35abcbfdbd51504f145473a9a6a5d03145caa6 |
| SHA512 | a019504111d2c6691f472223008f9d56a1e6313f3937d1dce5af79728f8d75f0646559c5307f6f35c5e3a1066afd245d6ad6da66526e162d10da4fb02bff3c74 |
\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll
| MD5 | 5906023042c6305c61847b19025b49d4 |
| SHA1 | e4a7ba8c640e5215759b46e9ad101daa153a0bcd |
| SHA256 | 78be99ea912020fc55b77134b1ec3b17a4f18eacf8253dffdef3bc7245393d07 |
| SHA512 | 2a6d6b0ac519b9500ebf8ab51aae3b5e097282e350ffa8fb2e1fae7f6f729bf57a5a828d29349004d3237d6c788841e893b0d6fcb6349819af25fc1a6d90a38f |
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll
| MD5 | c35c65fec37494d7ef13a15107d1bb06 |
| SHA1 | 39cba714c5dd2ce276a54f7db18e0c07d0685edf |
| SHA256 | 5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a |
| SHA512 | d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53 |
\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll
| MD5 | 1798de9667da8cc68fdd18894542356c |
| SHA1 | 902430f76a0cb7238c87df1b21fbf2180f45b1bb |
| SHA256 | 5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51 |
| SHA512 | 3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f |
\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll
| MD5 | 07dca43200ff802bab43fd63f68e98c7 |
| SHA1 | f06a38d1149a274be8c2da7d385c422fb163e1f9 |
| SHA256 | abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e |
| SHA512 | 21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256 |
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll
| MD5 | 293966206dbad1c9aa227e3067bc3278 |
| SHA1 | 9964d08cc590be9f45897d2833f08cfdda137dec |
| SHA256 | 2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10 |
| SHA512 | a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd |
memory/2220-53-0x0000000000400000-0x000000000071C000-memory.dmp
memory/2160-54-0x0000000000400000-0x00000000004D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 18:50
Reported
2024-02-22 18:53
Platform
win10v2004-20240221-en
Max time kernel
91s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FriendlyName = "OBS-Audio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\CLSID = "{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\ = "OBS-Audio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\ = "OBS-Camera" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b715955593200001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\CLSID = "{B750E5CD-5E7E-4ED3-B675-A5003C439997}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FriendlyName = "OBS-Camera" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$900F0,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
Files
memory/2704-0-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2704-2-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
| MD5 | 6dd1b17b4ef0d27c0fe9517fb952ec54 |
| SHA1 | 45aeed41983c8aff9a48b37581d96af56cb8d826 |
| SHA256 | 966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1 |
| SHA512 | e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf |
memory/3404-6-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/2704-10-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/3404-11-0x0000000000400000-0x000000000071C000-memory.dmp
memory/3404-14-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/3404-16-0x0000000000400000-0x000000000071C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll
| MD5 | 07dca43200ff802bab43fd63f68e98c7 |
| SHA1 | f06a38d1149a274be8c2da7d385c422fb163e1f9 |
| SHA256 | abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e |
| SHA512 | 21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256 |
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll
| MD5 | 1798de9667da8cc68fdd18894542356c |
| SHA1 | 902430f76a0cb7238c87df1b21fbf2180f45b1bb |
| SHA256 | 5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51 |
| SHA512 | 3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f |
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll
| MD5 | c35c65fec37494d7ef13a15107d1bb06 |
| SHA1 | 39cba714c5dd2ce276a54f7db18e0c07d0685edf |
| SHA256 | 5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a |
| SHA512 | d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53 |
C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll
| MD5 | 293966206dbad1c9aa227e3067bc3278 |
| SHA1 | 9964d08cc590be9f45897d2833f08cfdda137dec |
| SHA256 | 2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10 |
| SHA512 | a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd |
memory/3404-55-0x0000000000400000-0x000000000071C000-memory.dmp
memory/2704-56-0x0000000000400000-0x00000000004D8000-memory.dmp