f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DroidCam_6.5.2.exe
Size

15.6MB
MD5

d952d907646a522caf6ec5d00d114ce1
SHA1

75ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256

f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA512

3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe
SSDEEP

393216:oZsfK4YUD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzpC4:gsfKPUD1kS7249O3cDGvClnlC4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET4F77.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET4F77.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\droidcam.sys	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\0895810CAA35D20311C321FADD076560DB5A724D\Blob = 0300000001000000140000000895810caa35d20311c321fadd076560db5a724d190000000100000010000000bdb30e9906c34e10fef9b957fb3c519a0400000001000000100000007bf587aa0c9dd6f19549b52dc35c26f7140000000100000014000000eabd4e9ad363821855a0c5a7a1655eb40f9878490f00000001000000200000007bac0dc0600fd0ab391e070c030195f4b0a41e789d82150813845407e7695a5c20000000010000002b050000308205273082040fa003020102021006f8cf5be44c6fa358e6fb3c3e8aacba300d06092a864886f70d01010b05003076310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313530330603550403132c446967694365727420534841322048696768204173737572616e636520436f6465205369676e696e67204341301e170d3230303132303030303030305a170d3231303132373132303030305a3066310b300906035504061302434131193017060355040813104272697469736820436f6c756d626961311230100603550407130956414e434f5556455231133011060355040a130a44455634372041505053311330110603550403130a4445563437204150505330820122300d06092a864886f70d01010105000382010f003082010a0282010100a2cceeb89f2fbf06b70d81a7e9c8d9ee045f2fe98cf7edff52c4821008b6854b8f1680ae99d4c5effe6d57b249b18f89970fa66792da4fb2f0e6880386636bb65300d1898b92a7e17804273aa3ab5a5c61ec4a8c5ba53217323729560e46514c1eb0636b419cd461c94d6b936cd230584639d477e52201171ce5815777d1f24210e291b9bfef7760b36a6e6b3154939c54a9b6b007e2bebb9b5d48d8dde07cb078b42d3d31671a5f5dc02e8ba84d5764ca7c97fba3ed2334148f835576a8b5953a9a5ea44a0d2954dd600939ce4dfcef1814593e3514599dbf7bfb61eea38c3999636ddc975fd3594168f6126ebf825f5e58289cf5ae256967ccc888a74a2cef0203010001a38201bf308201bb301f0603551d23041830168014679d0f20090ccc8a3ae582467262fcf1cc90e540301d0603551d0e04160414eabd4e9ad363821855a0c5a7a1655eb40f987849300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303306d0603551d1f046630643030a02ea02c862a687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d68612d63732d67312e63726c3030a02ea02c862a687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d68612d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c030b302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818806082b06010505070101047c307a302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305206082b060105050730028646687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132486967684173737572616e6365436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100851bc04858e93326698691018936e189f691c0b60b9052fe031b9f00d1ca9c3a470dbcb5ca00a2fd9cd24e7d3e169ee8c451527e1539da97e5fb4ec8f1ce755df80d4ecf0637d6c6496769e99ded9c2338e162edd2a61e73f4bcbc0b60ae6cb179a89d13d72497d62de39fdedd0350c646e67bd7905cd8037e90d4662bd692b8d9dd25898195cc78392c8da1caec3b51fbeaa7bf57ffde3c305da1c014fe19c0dcb29ec5a16e4d68309b992b57ec3df808a0f22c63e5415fbb88569740c2d8fd9cd03dc1f4c9e3fe5f9a36c1e244e7ca275bca187b34877bda170ed62280de475bd5cd785c0afcca13ceea500473fd95857319c9888885797d7503bf12e13885	DrvInst.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\droidcam.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\droidcam.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B50.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	insdrv.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	insdrv.exe
File created	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B3F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B51.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\droidcam.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B51.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	insdrv.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B3F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\SET8B50.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DroidCam\plist.dll	DroidCam_6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\vc_redist.x86.exe	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\insdrv.exe	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\swscale-5.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Uninstall.exe	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Licence.txt	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\usbmuxd.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\DroidCamApp.exe	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\loading.gif	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\adb.exe	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\vc_redist.x86.exe	DroidCam_6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.inf	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\avcodec-58.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\avutil-56.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\adb\AdbWinApi.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\install.bat	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.sys	DroidCam_6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.sys	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\libwinpthread-1.dll	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.inf	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\lib\droidcam.cat	DroidCam_6.5.2.exe
File opened for modification	C:\Program Files (x86)\DroidCam\lib\droidcam.cat	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\Toggle HD Mode.lnk	DroidCam_6.5.2.exe
File created	C:\Program Files (x86)\DroidCam\With Stats.lnk	DroidCam_6.5.2.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	insdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	insdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
2656	vc_redist.x86.exe
2488	vc_redist.x86.exe
2036	insdrv.exe
616	DroidCamApp.exe

Loads dropped DLL 21 IoCs

pid	Process
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
2656	vc_redist.x86.exe
2488	vc_redist.x86.exe
1672	regsvr32.exe
2780	regsvr32.exe
1752	regsvr32.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
2004	Process not Found
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
844	DroidCam_6.5.2.exe
616	DroidCamApp.exe
616	DroidCamApp.exe
616	DroidCamApp.exe
616	DroidCamApp.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C}	DroidCam_6.5.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2"	DroidCam_6.5.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter32.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C}	DroidCam_6.5.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2"	DroidCam_6.5.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	insdrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	insdrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	insdrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	DroidCam_6.5.2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeRestorePrivilege	1900	rundll32.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeBackupPrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	880	DrvInst.exe
Token: SeLoadDriverPrivilege	880	DrvInst.exe
Token: SeLoadDriverPrivilege	880	DrvInst.exe
Token: SeLoadDriverPrivilege	880	DrvInst.exe
Token: SeRestorePrivilege	2036	insdrv.exe
Token: SeLoadDriverPrivilege	2036	insdrv.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeLoadDriverPrivilege	2972	DrvInst.exe
Token: SeLoadDriverPrivilege	2972	DrvInst.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
616	DroidCamApp.exe
616	DroidCamApp.exe
616	DroidCamApp.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
616	DroidCamApp.exe
616	DroidCamApp.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 844 wrote to memory of 2656	844	DroidCam_6.5.2.exe	28
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 2656 wrote to memory of 2488	2656	vc_redist.x86.exe	29
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 844 wrote to memory of 624	844	DroidCam_6.5.2.exe	30
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 1672	624	cmd.exe	32
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 624 wrote to memory of 2780	624	cmd.exe	33
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 2780 wrote to memory of 1752	2780	regsvr32.exe	34
PID 844 wrote to memory of 2036	844	DroidCam_6.5.2.exe	35
PID 844 wrote to memory of 2036	844	DroidCam_6.5.2.exe	35
PID 844 wrote to memory of 2036	844	DroidCam_6.5.2.exe	35
PID 844 wrote to memory of 2036	844	DroidCam_6.5.2.exe	35
PID 1736 wrote to memory of 1900	1736	DrvInst.exe	38
PID 1736 wrote to memory of 1900	1736	DrvInst.exe	38
PID 1736 wrote to memory of 1900	1736	DrvInst.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DroidCam_6.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\DroidCam_6.5.2.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
  "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
    "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{BCEBBF3A-862A-4755-88FF-9379881C3F95} {05176916-5E0F-4A1A-B8B0-F5970DB231F0} 2656
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c install.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "DroidCamFilter32.ax"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1672
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "DroidCamFilter64.ax"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\regsvr32.exe
      /s "DroidCamFilter64.ax"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:1752
- C:\Program Files (x86)\DroidCam\lib\insdrv.exe
  "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0a8bad77-db38-53e3-1321-0b3a1263d774}\droidcam.inf" "9" "6e67c8bbf" "0000000000000574" "WinSta0\Default" "0000000000000560" "208" "c:\program files (x86)\droidcam\lib"
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{259218f8-da65-5270-0ad1-c213ac96e93c} Global\{5bba3e4e-bc7b-2b11-0a9f-9129df3f0812} C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\droidcam.inf C:\Windows\System32\DriverStore\Temp\{376d2083-05d6-51f3-bc03-7f7608dd067f}\droidcam.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "droidcam.inf:MicrosoftDS.NTAMD64:DroidCam_PCMEX:1.0.0.1:droidcam" "6e67c8bbf" "0000000000000574" "0000000000000498" "00000000000005E0"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\DroidCam\DroidCamApp.exe
"C:\Program Files (x86)\DroidCam\DroidCamApp.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax

Filesize
84KB

MD5
efe71ae8a02ca59a0855cd649f5e58b8

SHA1
0a5ba3257ad82f71890c0fa55a5f7405d0b6b4ac

SHA256
ffb22ab7b98ecc98c22cf675bfab61c875127137277e1f66bc3d7269c3b42652

SHA512
bad93c560355019f739158d2a25e7643a08cdcb000b378099aa2431ba4d023aa72741e674912d738b0ac6d21e44417f5406eee67f16035f6a783a5226b0d65a4

Download Submit
C:\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax

Filesize
157KB

MD5
78022c387da1e93dc0442b656837953e

SHA1
e2adf94ec9854e7e57ec0c885a67aa2b9444b233

SHA256
c85b89c5d77a8b41b1a8213783f3ebfcc2fbed959149c5e5ed0f48204d9c4d09

SHA512
1673125e743874f2ff155a0ea2aaeb31b1aac013a8db2995752f0fbcd6794d41a8f75a7acfeeec6e91e4954423304f9c5d876638a528845054496100e700a539

Download Submit
C:\Program Files (x86)\DroidCam\lib\install.bat

Filesize
254B

MD5
cfaaa32cc4fd40e36512f768bd75a0e1

SHA1
6ed1063ab547f65aace2fd98713df6d29834c19a

SHA256
d7b86a37b02fed2794904cb28c0fa64a1e0d2218fab608250c8531c1b9ddc439

SHA512
d2fe74d8e10b6378c48b72c9e22515a31592859d1f725bc86d9e48fcce9f7421e7afe477feb1c2041ff46b2620ad4244c887c670dc25e8acd70029e2166a0a93

Download Submit
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe

Filesize
3.7MB

MD5
788d378bda46db4902287e410a0f1657

SHA1
52ad0f63a9dc4ed341ec51edafc4618e11738745

SHA256
d7e37d41019b99a94436c49eb8a1c702dfd75c84af1aeda90fae6762639ecad9

SHA512
e4bcfdf2c141162e8fe3443a8b67d72de7e3c7676b1d9d34c8f8a1ffd6ce11501c1a0232097369cb714981ce5c8d20c16f15eee536223a8ed9bff629acb20f10

Download Submit
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe

Filesize
2.4MB

MD5
12407fef90b6cca4bb672369e11c716a

SHA1
d72f33029868839ba59082fa1e0e114289f93524

SHA256
b1a01776b7a13066c90ef85739e7900ae3837e4014f3182abcb93f3464fc189f

SHA512
bc1e55989875d8e3e27225414480730b644aef6df83cd5a2e81434b53f0e17a858a16174802bbd8148b79ebc5ab523318474330a659653738d5c8b9c833a51bf

Download Submit
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe

Filesize
832KB

MD5
41684f87c6807932b9570349a33f16f6

SHA1
32cc1b793dccb88b6037f7b11fb7e487bd7f3a9f

SHA256
df389353820e89d8083933a589a5c4d8e0645f8525547769a8592588c524a551

SHA512
973716f5517f19e7deb9ffcf5785b0d8f273d437c030ceedcfa3f68fd10088c539aeb3e4987a918573d7dd53b7dfb23b320bc16c0ea9496b7218d79b97b530aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab870D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar878C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy560D.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF

Filesize
10KB

MD5
9b5e8dad6956fb019ff708e1be4c3384

SHA1
5681775a850517d444cbeca8c972e81e2b33681f

SHA256
7fd3f3d9cd357840d6686c54d9083aa3e6fe3e1cfb6965195a42b1438d9871c4

SHA512
3339bffc2427c4d8f332b46f2f1b11fb5f68625d0e62c7e8142d71959a13ad0a3f506f2e4812665fb16e77c373b476488c6457ea91587a32b54daf937c711448

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
2e8de21d5cfa3c57fd562eb7aa8fd8ed

SHA1
e15d5ee1f1a2f948831ae4271bcdbd2ef0993210

SHA256
e05c49e2b7f5b735e213943b4556a89fdb3986a14d4ca99a14af96415984fcce

SHA512
ce5a8f7f9d633cdbd86f4cacdcce86fc05a14d0c467610d063cfb04fed0f5028d2ba165b46fb61046c09bc4369a59fbca61ee877e49ada86bce58bb18175020a

Download Submit
C:\Windows\Temp\Cab8C2B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar8C7C.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\c:\PROGRA~2\droidcam\lib\droidcam.sys

Filesize
30KB

MD5
65f3e2bdb187ef73ce65b92c770594dd

SHA1
514f571ed0f89e50b53909e3f9550cad6107ceea

SHA256
13d6fb4d2284ec6b138740aaef4c7f6ac82e78d59891f4e51c8656f05150db8e

SHA512
2b5def159bd09b20cbcd03de3d2973c1fd216b35de71006c3077aeeddb71165075545941ebd53807fdd5cf682ec3eaadaeab9504b55a85c895cc1b811cf1a0c0

Download Submit
\??\c:\program files (x86)\droidcam\lib\droidcam.cat

Filesize
9KB

MD5
f6e94e3d7d3fe771b1933e06b7ba79b5

SHA1
65da1b5ab85f7b60f88c92101fdf95bfc7fe3931

SHA256
2a6124f7df464a02fc560cdf982eb3a65793e0c9252b361ec1e386bf4f63b60c

SHA512
45cc73010f8b3b638ce7349179a1a603ec009d0ce1066beafa03cc85c3a5a055c6430e50b9e298411d8dd617b698fd49364f8491ac95768a0a91c01c9e4390d4

Download Submit
\??\c:\program files (x86)\droidcam\lib\droidcam.inf

Filesize
2KB

MD5
aed4aa73848bd3423c170bf58f8febfa

SHA1
dfac68f7df29410357c00effee42e40bd0491167

SHA256
1cd87356a573e9def505dc8cc5e9f682e3cceecf499f50007b85def3c842b630

SHA512
4a9900d422447c59342c88e164d81c4187743e63eb5f993800311397bbdf43bea90e456b720fcd3e679bf029be70220e0b89c60d2717bf278d76c1049d921bfa

Download Submit
\Program Files (x86)\DroidCam\DroidCamApp.exe

Filesize
942KB

MD5
f8c12fc1b20887fdb70c7f02f0d7bfb3

SHA1
28d18fd281e17c919f81eda3a2f0d8765f57049f

SHA256
082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933

SHA512
97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f

Download Submit
\Program Files (x86)\DroidCam\avcodec-58.dll

Filesize
1.9MB

MD5
5faf0e59bf7ab03adde5f146cc08a777

SHA1
edbdf307186c45d90bee94ca468642f248737635

SHA256
03ff2145b20ed54e35830545a830a6aefe7804c775e4ff1cfda6fe91ab6e052b

SHA512
e2842fe5f4119d0e5e5da881167b1ccc9891a033873619ad2f9ca28a0a150cf8307f7297fb0f70ba1ba5dc44ea5da712cdc5320dff906f81193e809bee9799d4

Download Submit
\Program Files (x86)\DroidCam\avutil-56.dll

Filesize
812KB

MD5
f1493a182787b87e272745d7cf8d13d2

SHA1
aa71e51fb0c157780ec85b8121941b2e1e884a23

SHA256
620a6ce8a2101a9472e54ebf219aa0fb8260f99248922ca3ac057f21cc9ceb0d

SHA512
f95254d4e32b3ae7af963dc9a83612ce9f3dbd78c6db549e74a236da68966d2ebfaceedd102f9af7cf800f5de438d6522369c2da3b8495a820c22c3ea6c1d2d1

Download Submit
\Program Files (x86)\DroidCam\lib\insdrv.exe

Filesize
13KB

MD5
fdabbeb1ee62a56fb695ca6e8ad3d4a1

SHA1
2c8851470a122da74de43de371c94c39befa0696

SHA256
d18438bf03d25002e5aa161669a7cb01d0b2c83d2fa5dc2f9217c3b656eb6b9f

SHA512
97e42153bd5ce9bffdf166630dd677bc1e4945d24cb732dcaa616563b892046d4b9a70d556a9bf907947a8bfcf1c28edbd2dac11bfa4bf40a14db3399e6420d9

Download Submit
\Program Files (x86)\DroidCam\libwinpthread-1.dll

Filesize
77KB

MD5
f154be41738cfcc36f571602666ea751

SHA1
22aefe1948b666232e3aae0c80731a0721be0c93

SHA256
66a2686d2fcdd3f3bfcf39a219519dbe597a8c5f94b4426da5d0e01f3a2d42cd

SHA512
2d6cbd710a290cb9d413798455c450fe985dbc50eabb4405f3588f3cd8a49f4d49bdf2553b3ff7e809814eaadae9d26caf16f50525609a2dd3fd44d32ebec8b9

Download Submit
\Program Files (x86)\DroidCam\swscale-5.dll

Filesize
636KB

MD5
050f6892cb1f9c76d482b967e891615f

SHA1
e37f60aefa9caff1772c7750ce97e23a79380c89

SHA256
c345bb33691f6a483b9da275c38a67974c8648f9e65800abb3057510dc7e81b7

SHA512
678ddc355bc0f0f9d17aab9c054d727cbf7db414e2744f6715e6aad715cd944bea04005ab4e0e2571e95b9aa9149e92edcd83bf5feaecc5457d765513619d0ac

Download Submit
\Program Files (x86)\DroidCam\vc_redist.x86.exe

Filesize
4.8MB

MD5
db0c596f4874c0d5621e42c51d2a04bc

SHA1
c86aa6ebf7718afee5c02606accdbd27a8c198a8

SHA256
2421385460234ac11553d5ae1a2578daee44cb4b839b87dc96d20b5704a41b0a

SHA512
ab0d6f1a0bdf2a645f0d6a8f54163100d0f7b324644f2647c13cb38d36f41ff02d6ec120f9f0df02b3611602938107dcfa86aa15ba00339ed164eb872ecec7b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy560D.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy560D.tmp\nsDialogs.dll

Filesize
9KB

MD5
12465ce89d3853918ed3476d70223226

SHA1
4c9f4b8b77a254c2aeace08c78c1cffbb791640d

SHA256
5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc

SHA512
20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy560D.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/616-420-0x0000000074D40000-0x0000000074E08000-memory.dmp

Filesize
800KB

Download
memory/616-421-0x0000000074520000-0x00000000746EC000-memory.dmp

Filesize
1.8MB

Download
memory/616-422-0x0000000074520000-0x00000000746EC000-memory.dmp

Filesize
1.8MB

Download
memory/1900-276-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads