IOC Report
3TpW2Sn68z.exe

loading gif

Files

File Path
Type
Category
Malicious
3TpW2Sn68z.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\remcos\logs.dat
data
modified
malicious
C:\Users\user\AppData\Local\directory\RegAsymX.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs
data
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_54b38e612730b8c5952b2618de6f5b28d71e92_bac6fce3_69ee89ae-f8ea-433c-9a8e-e8d9b5708f58\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC84C.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Sep 5 12:17:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEB6.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEE6.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\Lymnaeidae
ASCII text, with very long lines (65536), with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\autA43A.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autA489.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autA870.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autA8DF.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autAD71.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autADD0.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autDA6D.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\autDABC.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\ophiolatrous
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\3TpW2Sn68z.exe
"C:\Users\user\Desktop\3TpW2Sn68z.exe"
malicious
C:\Users\user\AppData\Local\directory\RegAsymX.exe
"C:\Users\user\Desktop\3TpW2Sn68z.exe"
malicious
C:\Users\user\AppData\Local\directory\RegAsymX.exe
"C:\Users\user\AppData\Local\directory\RegAsymX.exe"
malicious
C:\Windows\SysWOW64\svchost.exe
svchost.exe
malicious
C:\Windows\System32\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
malicious
C:\Users\user\AppData\Local\directory\RegAsymX.exe
"C:\Users\user\AppData\Local\directory\RegAsymX.exe"
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568

URLs

Name
IP
Malicious
84.38.132.103
malicious
http://geoplugin.net/json.gp
unknown
http://upx.sf.net
unknown
http://geoplugin.net/json.gp/C
unknown

IPs

IP
Domain
Country
Malicious
84.38.132.103
unknown
Latvia
malicious

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-FR1M2R
exepath
HKEY_CURRENT_USER\SOFTWARE\Rmc-FR1M2R
licence
HKEY_CURRENT_USER\SOFTWARE\Rmc-FR1M2R
time
HKEY_CURRENT_USER\SOFTWARE\Rmc-FR1M2R
WD
HKEY_CURRENT_USER\SOFTWARE\Rmc-FR1M2R
WD
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
ProgramId
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
FileId
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
LowerCaseLongPath
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
LongPathHash
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Name
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
OriginalFileName
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Publisher
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Version
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
BinFileVersion
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
BinaryType
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
ProductName
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
ProductVersion
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
LinkDate
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
BinProductVersion
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
AppxPackageFullName
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
AppxPackageRelativeId
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Size
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Language
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
IsOsComponent
\REGISTRY\A\{a73be6fa-fb11-87a2-e07c-27d8aa3c4c16}\Root\InventoryApplicationFile\svchost.exe|1260c7b0519b1406
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 17 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
4130000
direct allocation
page read and write
malicious
3CEF000
stack
page read and write
malicious
1040000
direct allocation
page read and write
malicious