Windows Analysis Report
x-manager_v3.2.16_build98_install.exe

Overview

General Information

Sample name: x-manager_v3.2.16_build98_install.exe
Analysis ID: 1540739
MD5: 7cccb1db5512dc3bb02f8debd4124991
SHA1: 742984072033fa028085e056ce4a3cd626d92c65
SHA256: f169a25a3ea068642cf610a1f7e821a8fa589c50391773cbb0b8130bc719ee7f
Infos:

Detection

Score: 15
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Contains functionality to detect sleep reduction / modifications
Contains functionality to call native functions
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B4A2F9 strlen,strlen,libssh2_hostkey_methods,strlen,libssh2_crypt_methods,strlen,libssh2_crypt_methods,strlen,strlen,strlen,strlen,strlen,strlen,RAND_bytes,memcpy,memcpy,libssh2_hostkey_methods,memcpy,libssh2_crypt_methods,memcpy,libssh2_crypt_methods,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy, 5_2_63B4A2F9
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B45A0F libssh2_crypt_methods, 5_2_63B45A0F
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B64116 BIO_new_mem_buf,EVP_get_cipherbyname,OPENSSL_init_crypto,BIO_ctrl,PEM_read_bio_PrivateKey,BIO_free,EVP_PKEY_id,EVP_PKEY_free, 5_2_63B64116
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B4B0CE libssh2_crypt_methods,strchr,strlen,strlen, 5_2_63B4B0CE
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B4C079 libssh2_crypt_methods, 5_2_63B4C079
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B63F6D BIO_new_file,EVP_get_cipherbyname,OPENSSL_init_crypto,BIO_ctrl,PEM_read_bio_PrivateKey,BIO_free,EVP_PKEY_id,EVP_PKEY_free, 5_2_63B63F6D
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B4BDA4 libssh2_crypt_methods, 5_2_63B4BDA4
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B4BD8C libssh2_crypt_methods, 5_2_63B4BD8C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B64C4C libssh2_init,OPENSSL_init_crypto,ENGINE_load_builtin_engines,ENGINE_register_all_complete, 5_2_63B64C4C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BED3971 strtol,strchr,strlen,strncpy,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCRLContext,CertFreeCRLContext,GetLastError, 7_2_6BED3971
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BED2D20 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 7_2_6BED2D20
Source: xbase.exe, 00000005.00000002.2047491008.000000006C013000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4182145b-c
Contains functionality to create an SMB header
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [esi+04h], 424D53FFh 7_2_6BEBEC80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [esi+04h], 424D53FFh 7_2_6BEBEC80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [esi+04h], 424D53FFh 7_2_6BEBEC80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [esi+04h], 424D53FFh 7_2_6BEBEC80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [ebx+04h], 424D53FFh 7_2_6BEBEC80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: mov dword ptr [esi+04h], 424D53FFh 7_2_6BEBEC80
Uses 32bit PE files
Source: x-manager_v3.2.16_build98_install.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: x-manager_v3.2.16_build98_install.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 74.219.166.227:443 -> 192.168.2.4:59558 version: TLS 1.2
Source: x-manager_v3.2.16_build98_install.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68973A03 SetLastError,livecam_malloc,SetLastError,GetFileAttributesW,wcscat,FindFirstFileW,free, 5_2_68973A03
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then shr edx, 07h 7_2_6BEEABC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push dword ptr [esi] 7_2_6BEC6BD0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push 0000000Ch 7_2_6BEC1BB0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push 6BF431EDh 7_2_6BF08B90
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE7B94
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE5B03
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then lea edx, dword ptr [edi+ebx+00004188h] 7_2_6BF02AB0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push ebp 7_2_6BF09A70
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then cmp byte ptr [ebp+000000AAh], 00000000h 7_2_6BEF19E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then cmp dword ptr [eax], esi 7_2_6BEB99D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE796C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then movzx eax, byte ptr [ecx+esi] 7_2_6BF08940
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE58F6
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov eax, dword ptr [edi+08h] 7_2_6BECC8D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push dword ptr [ebx] 7_2_6BEC18B0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then cmp edi, FFFFFFFFh 7_2_6BF1A890
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ecx, dword ptr [ebx+0000CB64h] 7_2_6BEF9890
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push ebx 7_2_6BEF4860
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then inc ebp 7_2_6BEB4840
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push edi 7_2_6BF11F90
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov byte ptr [ecx-02h], al 7_2_6BEDDF00
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ebp, dword ptr [ebx+58h] 7_2_6BEDFF10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ebx, dword ptr [esi] 7_2_6BEA3E60
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push esi 7_2_6BEF9E50
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push dword ptr [esi+0000D2CCh] 7_2_6BEF8E30
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then lea eax, dword ptr [edi+edi*4] 7_2_6BE98DC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ecx, dword ptr [eax-0Ch] 7_2_6BE98DC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then lea eax, dword ptr [esi+esi*4] 7_2_6BE98DC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov eax, dword ptr [ebp+0000CEA0h] 7_2_6BEFFD90
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then cmp edi, 00000100h 7_2_6BF1ED40
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov eax, dword ptr [esi+0Ch] 7_2_6BEFBD50
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ebp, ebp 7_2_6BED1D10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov byte ptr [ecx], 00000000h 7_2_6BEF6D10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE7CE1
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE7C51
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then push dword ptr [esi-04h] 7_2_6BEF5C50
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ecx, esi 7_2_6BEA2C30
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ebp, ebp 7_2_6BED1C10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov eax, edx 7_2_6BEAB3E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then movzx eax, byte ptr [edi] 7_2_6BE9C3C0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE5389
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov dword ptr [esi+58h], 00000000h 7_2_6BEF2320
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then mov ebx, dword ptr [ebx+1Ch] 7_2_6BEAE2A0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE52B0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE628D
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE6233
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then test ecx, ecx 7_2_6BEE620F
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 4x nop then movzx edx, byte ptr [ecx] 7_2_6BEEA210
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B52122 libssh2_scp_recv2,time,libssh2_session_last_errno, 5_2_63B52122
Source: global traffic HTTP traffic detected: GET /updates/xcatalog/ HTTP/1.1Connection: Keep-AliveUser-Agent: WinHTTP Test/1.0Host: downloads.buckeyecam.com
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: downloads.buckeyecam.com
Source: xbase.exe, 00000005.00000000.2028816415.0000000000BC6000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: HTTP://HTTPS://https://https://downloads.buckeyecam.com/updates/xcatalog/FWManager:
Source: xbase.exe, 00000007.00000002.2929088263.0000000005ECD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: HTTPS://DOWNLOADS.BUCKEYECAM.COM/UPDATES/XCATALOG/
Source: xbase.exe, 00000005.00000002.2047491008.000000006C013000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://.css
Source: xbase.exe, 00000005.00000002.2047491008.000000006C013000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://.jpg
Source: xbase.exe, 00000007.00000003.2825263776.0000000001766000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: xbase.exe, 00000005.00000000.2028816415.0000000000BC6000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: http://downloads.buckeyecam.com/site/x.htmlOKYesWould
Source: xbase.exe, 00000005.00000002.2047491008.000000006C013000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://html4/loose.dtd
Source: xbase.exe, 00000005.00000002.2043593122.00000000689D9000.00000002.00000001.01000000.00000009.sdmp, is-CO4IA.tmp.1.dr String found in binary or memory: http://https://ssh://socket://telnet://tcp://scandir.cresultb64
Source: xbase.exe, 00000005.00000000.2025147980.0000000000401000.00000020.00000001.01000000.00000008.sdmp, is-OM9I1.tmp.1.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.2120035300.0000000002316000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.tmp, 00000001.00000003.2115408685.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.buckeyecam.com
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1671360715.0000000002590000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.tmp, 00000001.00000003.1677010363.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.buckeyecam.com2http://www.buckeyecam.com2http://www.buckeyecam.com
Source: x-manager_v3.2.16_build98_install.tmp, 00000001.00000003.2115408685.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.buckeyecam.com9jI
Source: x-manager_v3.2.16_build98_install.tmp, 00000001.00000003.2115408685.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.buckeyecam.comYkI
Source: xbase.exe, 00000005.00000002.2041309869.000000000330C000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000005.00000000.2025147980.0000000000620000.00000020.00000001.01000000.00000008.sdmp, xbase.exe, 00000007.00000002.2925473048.00000000031DC000.00000004.00001000.00020000.00000000.sdmp, is-OM9I1.tmp.1.dr String found in binary or memory: http://www.indyproject.org/
Source: xbase.exe, 00000005.00000002.2042615871.0000000062EA0000.00000008.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.zlib.net/DVarFileInfo$
Source: xbase.exe, 00000005.00000002.2047802699.000000006C060000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://curl.haxx.se/V
Source: xbase.exe, 00000005.00000002.2047802699.000000006C060000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: xbase.exe, xbase.exe, 00000007.00000002.2939737929.000000006BF23000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: xbase.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.co
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/
Source: xbase.exe, 00000007.00000003.2826051328.0000000001752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/G
Source: xbase.exe, 00000005.00000000.2028816415.0000000000BC6000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://downloads.buckeyecam.com/site/changes.htmlButtonSelect70GlowButtonSelect70OKYesUnable
Source: xbase.exe, 00000007.00000002.2925473048.00000000032C1000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2923890961.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2929088263.0000000005ECD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2925473048.0000000003228000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2825184170.0000000009505000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/activator_2.5.1.x7dup
Source: xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aidetector1.0_install.exe
Source: xbase.exe, 00000007.00000002.2925473048.000000000324D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aidetector1.0_install.exe0up
Source: xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aidetector1.1_install.exe
Source: xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aidetector5.0_install.exe
Source: xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aimegadetector4.0_install.exe
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/aimegadetector4.0_install.exeee
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/echo_2.5.1.x7dup
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2825184170.0000000009505000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/feeder_2.5.1.x7dup
Source: xbase.exe, 00000007.00000002.2923890961.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/n
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2825184170.0000000009505000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/thermalcam_0.1.79.x80up
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/update_4.7.17.x7dup
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/update_uws_x80cam_1.3.0.x80up
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/update_uws_x82cam_1.3.0.x80up
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/update_x80cam_1.3.0.x80up
Source: xbase.exe, 00000007.00000002.2934363090.0000000009780000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934276704.0000000009500000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/update_x82cam_1.3.0.x80up
Source: xbase.exe, 00000007.00000002.2925473048.0000000003280000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2925473048.000000000329C000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/x-manager_v3.2.16_build98_install.exe
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2825184170.0000000009505000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/x80echo_1.1.0.x80up
Source: xbase.exe, 00000007.00000002.2927978673.00000000051A9000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2825184170.0000000009505000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2934363090.000000000978E000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826508763.000000000173C000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp, xbase.exe, 00000007.00000002.2927978673.00000000051EB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/xcellbase_2.10.0.x7dup
Source: xbase.exe, 00000007.00000002.2925473048.000000000325C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com/updates/xcatalog/xcellbase_2.10.0.x7dupx80up6s
Source: xbase.exe, 00000007.00000002.2923890961.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://downloads.buckeyecam.com:443/updates/xcatalog/t
Source: x-manager_v3.2.16_build98_install.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672290542.0000000002590000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672743353.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.tmp, 00000001.00000000.1674776665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x-manager_v3.2.16_build98_install.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: xbase.exe, 00000005.00000002.2045132883.000000006BD16000.00000008.00000001.01000000.0000000F.sdmp, xbase.exe, 00000005.00000002.2046774129.000000006BF59000.00000008.00000001.01000000.00000010.sdmp String found in binary or memory: https://www.openssl.org/H
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672290542.0000000002590000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672743353.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, x-manager_v3.2.16_build98_install.tmp, 00000001.00000000.1674776665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x-manager_v3.2.16_build98_install.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 59558 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59558
Source: unknown HTTPS traffic detected: 74.219.166.227:443 -> 192.168.2.4:59558 version: TLS 1.2
Contains functionality to call native functions
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689879BD ntohl,ntohl, 5_2_689879BD
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_6897DE30 livecam_set_thread_name,livecam_calloc,time,memcpy,ntohl,livecam_free,_assert, 5_2_6897DE30
Detected potential crypto function
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8BA93 5_2_62E8BA93
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E823E0 5_2_62E823E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E913F8 5_2_62E913F8
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E81780 5_2_62E81780
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8AB87 5_2_62E8AB87
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E83F00 5_2_62E83F00
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8ECF0 5_2_62E8ECF0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E85830 5_2_62E85830
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8A000 5_2_62E8A000
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E819F9 5_2_62E819F9
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8D5D0 5_2_62E8D5D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E89160 5_2_62E89160
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E81D20 5_2_62E81D20
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B66D48 5_2_63B66D48
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689879BD 5_2_689879BD
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689589A0 5_2_689589A0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68975A9C 5_2_68975A9C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_6895FA8C 5_2_6895FA8C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68957CE4 5_2_68957CE4
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689B01E0 5_2_689B01E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBD8BF0 7_2_6BBD8BF0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBDBC0 7_2_6BBBDBC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBFAB40 7_2_6BBFAB40
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBBFF0 7_2_6BBBBFF0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBFECE0 7_2_6BBFECE0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBED390 7_2_6BBED390
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBE358 7_2_6BBBE358
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBC812C 7_2_6BBC812C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBF086 7_2_6BBBF086
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBC027 7_2_6BBBC027
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBC8060 7_2_6BBC8060
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBB742 7_2_6BBBB742
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBE6E9 7_2_6BBBE6E9
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BBBE600 7_2_6BBBE600
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC7EBA0 7_2_6BC7EBA0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC31BBC 7_2_6BC31BBC
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC38B77 7_2_6BC38B77
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC7EB10 7_2_6BC7EB10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC38B37 7_2_6BC38B37
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC49AC0 7_2_6BC49AC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC5BAC0 7_2_6BC5BAC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC86900 7_2_6BC86900
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC468B0 7_2_6BC468B0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36867 7_2_6BC36867
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC37800 7_2_6BC37800
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC5BEE0 7_2_6BC5BEE0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BDE43E0 7_2_6BDE43E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC32340 7_2_6BC32340
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36307 7_2_6BC36307
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36322 7_2_6BC36322
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36241 7_2_6BC36241
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BD3A250 7_2_6BD3A250
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36117 7_2_6BC36117
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BD3D130 7_2_6BD3D130
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC500CB 7_2_6BC500CB
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC320F9 7_2_6BC320F9
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36083 7_2_6BC36083
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC3D010 7_2_6BC3D010
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC36018 7_2_6BC36018
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC32780 7_2_6BC32780
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC31777 7_2_6BC31777
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC3377C 7_2_6BC3377C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BD536D0 7_2_6BD536D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC3669C 7_2_6BC3669C
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC315A0 7_2_6BC315A0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC365A7 7_2_6BC365A7
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC364EC 7_2_6BC364EC
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEB7BE0 7_2_6BEB7BE0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEEABC0 7_2_6BEEABC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1DBA0 7_2_6BF1DBA0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEC1BB0 7_2_6BEC1BB0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1BB90 7_2_6BF1BB90
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF11B70 7_2_6BF11B70
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF17B00 7_2_6BF17B00
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEAAAE0 7_2_6BEAAAE0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE97AF0 7_2_6BE97AF0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1AA80 7_2_6BF1AA80
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEECA30 7_2_6BEECA30
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE9D980 7_2_6BE9D980
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1C951 7_2_6BF1C951
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE91950 7_2_6BE91950
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE8D920 7_2_6BE8D920
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE878D0 7_2_6BE878D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BECC8D0 7_2_6BECC8D0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF188A0 7_2_6BF188A0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF20880 7_2_6BF20880
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEBC831 7_2_6BEBC831
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF12800 7_2_6BF12800
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF0FFD0 7_2_6BF0FFD0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE8AFB0 7_2_6BE8AFB0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEDBF71 7_2_6BEDBF71
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEDBF39 7_2_6BEDBF39
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE81EC0 7_2_6BE81EC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEB7DE0 7_2_6BEB7DE0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE98DC0 7_2_6BE98DC0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF0ED60 7_2_6BF0ED60
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF0DD54 7_2_6BF0DD54
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEBAD20 7_2_6BEBAD20
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF09D10 7_2_6BF09D10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF0BD00 7_2_6BF0BD00
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEB4C60 7_2_6BEB4C60
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEDBC20 7_2_6BEDBC20
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEA53E0 7_2_6BEA53E0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE8D3C0 7_2_6BE8D3C0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE9A360 7_2_6BE9A360
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1933B 7_2_6BF1933B
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BE842F0 7_2_6BE842F0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEE52B0 7_2_6BEE52B0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEA2220 7_2_6BEA2220
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEBA230 7_2_6BEBA230
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF12200 7_2_6BF12200
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC32BB0 7_2_6BC32BB0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC37E10 7_2_6BC37E10
Found potential string decryption / allocating functions
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BE9A090 appears 33 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BE8CC60 appears 290 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 689AA230 appears 105 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BE8CDF0 appears 314 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 689AA568 appears 46 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BF21188 appears 66 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BE9A030 appears 32 times
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: String function: 6BEF6680 appears 110 times
PE file contains executable resources (Code or Archives)
Source: x-manager_v3.2.16_build98_install.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-IN0F5.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-OM9I1.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.14, with debug_info, not stripped
PE file contains more sections than normal
Source: is-09PPP.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: is-CO4IA.tmp.1.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672743353.000000007FE35000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs x-manager_v3.2.16_build98_install.exe
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.2120035300.00000000022F8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs x-manager_v3.2.16_build98_install.exe
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000000.1671012067.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs x-manager_v3.2.16_build98_install.exe
Source: x-manager_v3.2.16_build98_install.exe, 00000000.00000003.1672290542.0000000002688000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs x-manager_v3.2.16_build98_install.exe
Source: x-manager_v3.2.16_build98_install.exe Binary or memory string: OriginalFileName vs x-manager_v3.2.16_build98_install.exe
Uses 32bit PE files
Source: x-manager_v3.2.16_build98_install.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: is-86H01.tmp.1.dr Binary string: ptr %p nblocks %d leftblocks %d left bytes %d SNDCTL_DSP_STEREOSNDCTL_DSP_GETBLKSIZESNDCTL_DSP_GETOSPACESNDCTL_DSP_SETFMTSNDCTL_DSP_RESETSNDCTL_DSP_SPEEDvirtual void fhandler_dev_dsp::dump()here, fhandler_dev_dspvirtual int fhandler_dev_floppy::is_eom(int)end of mediumvirtual int fhandler_dev_floppy::is_eof(int)virtual off_t fhandler_dev_floppy::lseek(off_t, int)drive size: %lddisk geometry: (%ld cyl)*(%ld trk)*(%ld sec)*(%ld bps)partition info: %ld (%ld)/c/projetos/msys-home/pkg/msysCORE/source/winsup/cygwin/fhandler_floppy.ccfhandler_dev_mem::fhandler_dev_mem(const char*, int)Illegal minor number!!!MemSize: %d MBKMemSize: %d MBPortSize: 64 KB/c/projetos/msys-home/pkg/msysCORE/source/winsup/cygwin/fhandler_mem.ccNtQuerySystemInformation: ret = %d, Dos(ret) = %dvirtual int fhandler_dev_mem::open(const char*, int, mode_t)/dev/mem/dev/kmem/dev/port%s is accessible under NT/W2K only\device\physicalmemoryvirtual void* fhandler_dev_mem::mmap(char**, size_t, DWORD, int, off_t)-1 = mmap(): illegal parameter, set EINVAL-1 = mmap(): NtMapViewOfSection failed with %E-1 = mmap(): NtOpenSection failed with %E-1 = mmap(): address shift with MAP_FIXED givenvirtual BOOL fhandler_dev_mem::fixup_mmap_after_fork(void*, DWORD, DWORD, DWORD, void*)-1 = fixup_mmap_after_fork(): NtMapViewOfSection failed with %Evirtual void fhandler_dev_mem::dump()here, fhandler_dev_memBOOL fhandler_dev_random::crypt_gen_random(void*, size_t)Microsoft Base Cryptographic Provider v1.0%E = CryptAquireContext()%E = CryptGenRandom()/c/projetos/msys-home/pkg/msysCORE/source/winsup/cygwin/fhandler_random.ccvirtual void fhandler_dev_random::dump()here, fhandler_dev_randomBOOL write_file(void*, const void*, DWORD, DWORD*, int*)%d (err %d) = WriteFile (%d, %d, write %d, written %d, 0)virtual int fhandler_dev_raw::raw_read(void*, size_t)BOOL read_file(void*, void*, DWORD, DWORD*, int*)read variable bytes from file into bufferread %d bytes from file into buffer%d (err %d) = ReadFile (%d, %d, to_read %d, read %d, 0)read %d bytes from buffer (rest %d)read %d bytes direct from filereturn -1, set errno to EACCESreturn -1, set errno to ENOSPC/c/projetos/msys-home/pkg/msysCORE/source/winsup/cygwin/fhandler_raw.ccvirtual int fhandler_serial::raw_read(void*, size_t)inq %dvtime_ %d, vmin_ %d, n %d, tot %dulen %d, vmin_ %d, vtime_ %d, hEvent %perror detected %xerr %EWaitCommEvent succeeded: ev %x/c/projetos/msys-home/pkg/msysCORE/source/winsup/cygwin/fhandler_serial.ccn %d, ev %xvirtual void fhandler_serial::dump()herevirtual int fhandler_serial::open(const char*, int, mode_t)fhandler_serial::open (%s, %p, %p)%p = fhandler_serial::open (%s, %p, %p)couldn't set initial state for %s, %Esetting initial state on %s (reset_com %d)virtual int fhandler_serial::tcsendbreak(int)0 = fhandler_serial:tcsendbreak (%d)virtual int fhandler_serial::tcflow(int)action %dvirtual int fhandler_serial::tcsetattr(int, const termios*)Invalid t->c_ospeed %dflushed file buffersReadTotalTimeoutConstant %d, ReadIntervalTimeout %d, R
Source: classification engine Classification label: clean15.evad.winEXE@7/74@2/1
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BEA9FC0 GetLastError,_errno,FormatMessageA,strchr,_errno,_errno,GetLastError,SetLastError, 7_2_6BEA9FC0
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Mutant created: NULL
Source: C:\BuckEyeCam\X7D Base\xbase.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1384
Source: C:\BuckEyeCam\X7D Base\xbase.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$70c
Source: C:\BuckEyeCam\X7D Base\xbase.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\C::BUCKEYECAM:X7D BASE:
Source: C:\BuckEyeCam\X7D Base\xbase.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1384
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe File created: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp Jump to behavior
Source: Yara match File source: 5.0.xbase.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.2025147980.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\BuckEyeCam\X7D Base\is-OM9I1.tmp, type: DROPPED
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: xbase.exe String found in binary or memory: -address
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore
Source: xbase.exe String found in binary or memory: Y@../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/atomic_load.h
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/int_atomic_load.h
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/short_atomic_load.h
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/int_atomic_store.h
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/atomic_store.h
Source: xbase.exe String found in binary or memory: ../libbeccompat/atomic_ops/atomic_ops/sysdeps/gcc/../loadstore/short_atomic_store.h
Source: xbase.exe String found in binary or memory: -addr
Source: xbase.exe String found in binary or memory: -addrlen
Source: xbase.exe String found in binary or memory: /load_dll
Source: xbase.exe String found in binary or memory: Unable to complete request for channel-process-startup
Source: x-manager_v3.2.16_build98_install.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe File read: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe "C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe"
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Process created: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp "C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp" /SL5="$10478,35222396,832512,C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe"
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process created: C:\BuckEyeCam\X7D Base\xbase.exe "C:\BuckEyeCam\X7D Base\xbase.exe" -distribute-firmware
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process created: C:\BuckEyeCam\X7D Base\xbase.exe "C:\BuckEyeCam\X7D Base\xbase.exe"
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Process created: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp "C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp" /SL5="$10478,35222396,832512,C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process created: C:\BuckEyeCam\X7D Base\xbase.exe "C:\BuckEyeCam\X7D Base\xbase.exe" -distribute-firmware Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process created: C:\BuckEyeCam\X7D Base\xbase.exe "C:\BuckEyeCam\X7D Base\xbase.exe" Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: livecam.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasdlg.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: version.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libstdc++-6.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: zlib1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libssh2-1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winmm.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasman.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winsta.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: security.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: secur32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wldp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: livecam.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasdlg.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: version.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasman.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winmm.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasman.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libstdc++-6.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: zlib1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libssh2-1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winsta.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: security.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: secur32.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wldp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: mscms.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: userenv.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ftd2xx.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: webio.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: schannel.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: X-Series Network Manager.lnk.1.dr LNK file: ..\..\..\..\..\..\..\BuckEyeCam\X7D Base\xbase.exe
Source: X-Series Network Manager.lnk0.1.dr LNK file: ..\..\..\BuckEyeCam\X7D Base\xbase.exe
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: x-manager_v3.2.16_build98_install.exe Static PE information: certificate valid
Source: x-manager_v3.2.16_build98_install.exe Static file information: File size 36076120 > 1048576
Source: x-manager_v3.2.16_build98_install.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8FAD0 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,_winmajor, 5_2_62E8FAD0
PE file contains sections with non-standard names
Source: x-manager_v3.2.16_build98_install.exe Static PE information: section name: .didata
Source: x-manager_v3.2.16_build98_install.tmp.0.dr Static PE information: section name: .didata
Source: is-TM5LR.tmp.1.dr Static PE information: section name: .rodata
Source: is-TM5LR.tmp.1.dr Static PE information: section name: /4
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /4
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /14
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /29
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /41
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /55
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /67
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /78
Source: is-CO4IA.tmp.1.dr Static PE information: section name: /89
Source: is-F5AKD.tmp.1.dr Static PE information: section name: .eh_fram
Source: is-09PPP.tmp.1.dr Static PE information: section name: .stab
Source: is-09PPP.tmp.1.dr Static PE information: section name: .stabstr
Source: is-IN0F5.tmp.1.dr Static PE information: section name: .didata
Source: is-OM9I1.tmp.1.dr Static PE information: section name: .didata
Source: is-CCAQ9.tmp.1.dr Static PE information: section name: /4
Source: is-QCM61.tmp.1.dr Static PE information: section name: .data_cy
Source: is-86H01.tmp.1.dr Static PE information: section name: .autoloa
Source: is-86H01.tmp.1.dr Static PE information: section name: .gnu_deb
Uses code obfuscation techniques (call, push, ret)
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B7B07C push ds; ret 5_2_63B7B065
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B7B05E push ds; ret 5_2_63B7B065
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B80639 pushad ; retf 0002h 5_2_63B80675
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B85594 push esp; ret 5_2_63B85595
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68959BEC push eax; mov dword ptr [esp], 00000010h 5_2_68959D55
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68959B18 push eax; mov dword ptr [esp], 00000010h 5_2_68959BAA
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689C7D22 push 689C7C0Ch; retf 0000h 5_2_689C7D28
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689C10FF push E8240C89h; retf 5_2_689C1111
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF20820 push dword ptr [eax+04h]; ret 7_2_6BF2084F
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BED2D20 push eax; mov dword ptr [esp], 00000000h 7_2_6BED2D22
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-CO4IA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-09PPP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libstdc++-6.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe File created: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\teamviewerqs-idcqvsqvk7.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\livecam.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\ffmpeg.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-TM5LR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-F5AKD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-15JQ5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-CCAQ9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\drivers\is-UM198.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-QCM61.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\drivers\x7d_driver_setup.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-86H01.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-IN0F5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\msys-z.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libssh2-1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-35PPD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-6HOHU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-T8KBQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\cc3270.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-QQSBT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\xbase.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-363IA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-OM9I1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\Users\user\AppData\Local\Temp\is-2MKEL.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-PAR7S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\msys-1.0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\is-B63VE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libcrypto-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\BuckEyeCam\X7D Base\libgcc_s_dw2-1.dll (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BuckEye Cam Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BuckEye Cam\X-Series Network Manager Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BuckEye Cam\X-Series Network Manager\X-Series Network Manager.lnk Jump to behavior
Source: C:\Users\user\Desktop\x-manager_v3.2.16_build98_install.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68974896 5_2_68974896
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-CO4IA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-09PPP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\teamviewerqs-idcqvsqvk7.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\ffmpeg.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-TM5LR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-F5AKD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-15JQ5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-CCAQ9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\drivers\is-UM198.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-QCM61.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\drivers\x7d_driver_setup.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-86H01.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-IN0F5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\msys-z.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-35PPD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-6HOHU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-T8KBQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\cc3270.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-QQSBT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-363IA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2MKEL.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-PAR7S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\msys-1.0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\is-B63VE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Dropped PE file which has not been started: C:\BuckEyeCam\X7D Base\unins000.exe (copy) Jump to dropped file
Found large amount of non-executed APIs
Source: C:\BuckEyeCam\X7D Base\xbase.exe API coverage: 0.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\BuckEyeCam\X7D Base\xbase.exe TID: 2704 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_68973A03 SetLastError,livecam_malloc,SetLastError,GetFileAttributesW,wcscat,FindFirstFileW,free, 5_2_68973A03
Source: x-manager_v3.2.16_build98_install.tmp, 00000001.00000003.2116832659.0000000000818000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: xbase.exe, 00000007.00000003.2825263776.0000000001766000.00000004.00000020.00020000.00000000.sdmp, xbase.exe, 00000007.00000003.2826625508.0000000001701000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_62E8FAD0 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,_winmajor, 5_2_62E8FAD0
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC05BFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_6BC05BFC
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BC05C00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_6BC05C00
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1FC60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_6BF1FC60
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF1FC5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_6BF1FC5C
Contains functionality to query CPU information (cpuid)
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BDE2C50 cpuid 7_2_6BDE2C50
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q65GG.tmp\x-manager_v3.2.16_build98_install.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B65DC8 GetSystemTimeAsFileTime, 5_2_63B65DC8
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 7_2_6BF20C10 GetTimeZoneInformation,GetSystemTimeAsFileTime, 7_2_6BF20C10
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_689969F2 memset,memset,strcpy,livecam_free,GetVersionExA,sprintf,sprintf,GetComputerNameA,strcat,livecam_free, 5_2_689969F2
Source: C:\BuckEyeCam\X7D Base\xbase.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_63B42212 libssh2_channel_forward_listen_ex,time,libssh2_session_last_errno, 5_2_63B42212
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_6897E9EB mg_stop_listening,_write, 5_2_6897E9EB
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_6898BCED libssh2_channel_forward_listen_ex,libssh2_session_last_error, 5_2_6898BCED
Source: C:\BuckEyeCam\X7D Base\xbase.exe Code function: 5_2_6897BD9D socket,setsockopt,bind,listen,GetLastError,strerror,closesocket,livecam_realloc, 5_2_6897BD9D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540739 Sample: x-manager_v3.2.16_build98_i... Startdate: 24/10/2024 Architecture: WINDOWS Score: 15 29 downloads.buckeyecam.com 2->29 31 206.23.85.13.in-addr.arpa 2->31 35 Contains functionality to detect sleep reduction / modifications 2->35 8 x-manager_v3.2.16_build98_install.exe 2 2->8         started        signatures3 process4 file5 19 C:\...\x-manager_v3.2.16_build98_install.tmp, PE32 8->19 dropped 11 x-manager_v3.2.16_build98_install.tmp 29 57 8->11         started        process6 file7 21 C:\BuckEyeCam\X7D Base\xbase.exe (copy), PE32 11->21 dropped 23 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->23 dropped 25 C:\BuckEyeCam\X7D Base\zlib1.dll (copy), PE32 11->25 dropped 27 34 other files (none is malicious) 11->27 dropped 14 xbase.exe 5 11->14         started        17 xbase.exe 2 11->17         started        process8 dnsIp9 33 downloads.buckeyecam.com 74.219.166.227, 443, 59558 TWC-10796-MIDWESTUS United States 14->33
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
74.219.166.227
 downloads.buckeyecam.com United States
10796 TWC-10796-MIDWESTUS false

Contacted Domains

Name IP Active
downloads.buckeyecam.com 74.219.166.227 true
206.23.85.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://downloads.buckeyecam.com/updates/xcatalog/ false
    		unknown