IOC Report
ywXeiXEvP2.exe

loading gif

Files

File Path
Type
Category
Malicious
ywXeiXEvP2.exe
PE32+ executable (GUI) x86-64, for MS Windows
initial sample
malicious
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files (x86)\jDownloader\config\conhost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files\Uninstall Information\OfficeClickToRun.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Recovery\XClient.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\XClient.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
data
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\XClient.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\9e8d7a4ca61bd9
ASCII text, with very long lines (609), with no line terminators
dropped
C:\Program Files (x86)\jDownloader\config\088424020bedd6
ASCII text, with very long lines (432), with no line terminators
dropped
C:\Program Files\Uninstall Information\e6c9b481da804f
ASCII text, with no line terminators
dropped
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
ASCII text, with no line terminators
dropped
C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
ASCII text, with very long lines (820), with no line terminators
dropped
C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
ASCII text, with very long lines (609), with no line terminators
dropped
C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
ASCII text, with very long lines (385), with no line terminators
dropped
C:\ProgramData\Microsoft\Windows\Templates\d908c538d2e8d0
ASCII text, with very long lines (840), with no line terminators
dropped
C:\Recovery\cf20f2cf4406ff
ASCII text, with very long lines (448), with no line terminators
dropped
C:\Recovery\d908c538d2e8d0
ASCII text, with very long lines (662), with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerWeb.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
CSV text
dropped
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\66fc9ff0ee96c2
ASCII text, with very long lines (427), with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 11 17:07:08 2024, mtime=Tue Jun 11 17:07:08 2024, atime=Tue Jun 11 17:07:08 2024, length=34816, window=hide
dropped
C:\Windows\ELAMBKUP\d908c538d2e8d0
ASCII text, with very long lines (563), with no line terminators
dropped
C:\Windows\IME\IMEKR\d908c538d2e8d0
ASCII text, with no line terminators
dropped
C:\Windows\IdentityCRL\d908c538d2e8d0
ASCII text, with very long lines (982), with no line terminators
dropped