Windows Analysis Report 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Overview

General Information

Sample Name: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Analysis ID: 553373
MD5: 971e01647fbdc05bef3df71b008e2ca6
SHA1: d8122ee820db5d937056c2f1fd0b7bbf89d8b9c1
SHA256: 0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmartSearch Installer SmokeLoader Vidar onlyLogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara Genericmalware
Yara detected SmokeLoader
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
DLL reload attack detected
Multi AV Scanner detection for submitted file
Yara detected onlyLogger
Antivirus / Scanner detection for submitted sample
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected SmartSearch nstaller
Disable Windows Defender real time protection (registry)
Found stalling execution ending in API Sleep call
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicious Svchost Process
Found many strings related to Crypto-Wallets (likely being stolen)
PE file contains section with special chars
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to dynamically determine API calls
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Searches for user specific document files
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Yara Genericmalware
Source: Yara match File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://45.144.225.57/EU/searchEUunlim.exe Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exemf Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exeme Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exeC: Avira URL Cloud: Label: malware
Source: http://xmtbsj.com/setup.exe Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeC: Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8 Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exe%d3 Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exemp Avira URL Cloud: Label: malware
Source: https://iplis.ru:443/1G8Fx7.mp3tData.phpr Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exe Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/sfx_123_310.exeKd Avira URL Cloud: Label: malware
Source: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exeL Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file10.exe1d/ Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exet Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exevw9 Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exe Avira URL Cloud: Label: malware
Source: http://45.144.225.57/EU/searchEUunlim.exem Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeL Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeM Avira URL Cloud: Label: malware
Source: http://2.56.59.42:80/base/api/getData.php Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file7.exeC: Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exen Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exe Avira URL Cloud: Label: malware
Source: http://2.56.59.42/base/api/getData.php Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file2.exe0.exeQd Avira URL Cloud: Label: malware
Source: http://45.144.225.57/EU/searchEUunlim.exeC: Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exean Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exemZ Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exe0 Avira URL Cloud: Label: malware
Source: https://iplis.ru/ Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exe Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file2.exeC: Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file4.exe Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/sfx_123_310.exeW Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exeF Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe Avira: detection malicious, Label: HEUR/AGEN.1144918
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\HR[1].exe Avira: detection malicious, Label: HEUR/AGEN.1142105
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe Avira: detection malicious, Label: HEUR/AGEN.1144918
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe Avira: detection malicious, Label: TR/AD.MalwareCrypter.lssyq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe Avira: detection malicious, Label: TR/Redcap.loame
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt Avira: detection malicious, Label: HEUR/AGEN.1144071
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt Avira: detection malicious, Label: TR/Dldr.Agent.ahsja
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt Avira: detection malicious, Label: HEUR/AGEN.1142187
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\search_target1kpd[1].exe Avira: detection malicious, Label: TR/AD.MalwareCrypter.zmiqj
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt Avira: detection malicious, Label: HEUR/AGEN.1202313
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe Avira: detection malicious, Label: TR/Agent.grsnc
Multi AV Scanner detection for submitted file
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Virustotal: Detection: 64% Perma Link
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe ReversingLabs: Detection: 69%
Antivirus / Scanner detection for submitted sample
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe Metadefender: Detection: 22% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe Metadefender: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe Metadefender: Detection: 24% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe ReversingLabs: Detection: 64%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file4[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.arnatic_3.exe.23e0e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.arnatic_4.exe.d30000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.arnatic_3.exe.23e0e50.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.3.arnatic_3.exe.2480000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.arnatic_3.exe.23e0e50.4.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040E9C8 _memset,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA, 15_2_0040E9C8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040EB60 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 15_2_0040EB60
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040EBC3 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 15_2_0040EBC3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040ECDA _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 15_2_0040ECDA

Compliance:

barindex
Uses 32bit PE files
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\xexic.pdb source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: G:\MyProject\StreetPlayer\ExtraProgram\DropTarget\x64\Release_EXE\DTDrop64.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source: Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source: Binary string: L9C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\jejenos75 sic-fopotepumazok\katikame.pdb source: arnatic_5.exe, 00000013.00000003.374716400.0000000007A9B000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389718434.0000000007B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.374635601.0000000007A79000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.408864251.0000000007D11000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source: Binary string: -C:\hapatepo_jaga\pulaciyegac\96\le.pdbhQE source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source: Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdb source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source: Binary string: C:\ruri weteveruj-57 picomamodige\secobud\nikume\hocu\f.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source: Binary string: _C:\xexic.pdbh source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source: Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdbhqE source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source: Binary string: C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdb source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp
Source: Binary string: C:\hapatepo_jaga\pulaciyegac\96\le.pdb source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source: Binary string: Dx 5C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdbh source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 15_2_0040A5EA
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00404B47 FindFirstFileW, 1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose, 15_2_0040A24D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 15_2_004625DE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose, 15_2_00412D8E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 15_2_00404F13
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose, 15_2_00412F8E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040F050
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040F0A9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E210
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then push edi 7_2_00421220
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub edx, 01h 7_2_0041C6B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E2A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040D340
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E331
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E389
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E449
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E473
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then push ebp 7_2_00420400
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E410
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040F4C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E48C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E4B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E540
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040F560
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E5C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then push edi 7_2_004615E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then push ebx 7_2_004615E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E645
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E670
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E610
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub esp, 1Ch 7_2_0041C6D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub edx, 01h 7_2_0041C6B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_0042A760
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub esp, 1Ch 7_2_004917E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E840
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040F8E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040E8E9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub esp, 1Ch 7_2_0041C892
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then push edi 7_2_00429A70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_00410ACC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040EAAC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_00410B10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040EB20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040EC60
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_00498C10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then jmp 004014E0h 7_2_0040ECD0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_00420CB0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 4x nop then sub esp, 1Ch 7_2_00425DB3

Networking:

barindex
Yara detected onlyLogger
Source: Yara match File source: 0000002E.00000003.451819905.0000000000730000.00000004.00000001.sdmp, type: MEMORY
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
Source: arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exe
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exe.
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exeC:
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exee
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exex
Source: arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/33F
Source: arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/base/api/getData.php
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/base/api/getData.php-3x
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://2.56.59.42:80/base/api/getData.php
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exeC:
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exeL
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exed
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exem
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exe&
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exe0.exeQd
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exem
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exen
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exet
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410547769.00000000063FF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393000664.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exe
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404672354.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410547769.00000000063FF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393000664.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exe0.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exeC:
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exeme
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exemf
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exen
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exet
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exeV
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367289220.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366735178.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file10.exe
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file10.exe1d/
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file10.exeC:
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file10.exej
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exeC:
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exeL
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exeZ
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exem
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file5.exet(
Source: arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exe4
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exeL
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exem
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file6.exem3g-
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exeP
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exej
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exem
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exem:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file7.exe~
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exe
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exe%d3
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exe:
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exeL
Source: arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file8.exeM
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exe.45/WW/file9.exeF
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exe0
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exeC:
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exeF
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exeeT
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exem
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exemZ
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.45/WW/file9.exexex
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exeC:
Source: arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exem
Source: arnatic_5.exe, 00000013.00000003.382115209.0000000003F62000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe4
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exeC:
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exeQ
Source: arnatic_5.exe, 00000013.00000003.391048564.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386881565.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389372557.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379483233.00000000064F9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exean
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exek
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exemp
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427458418.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443764679.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386604830.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379326588.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exev
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427458418.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443764679.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386604830.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379326588.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exevw9
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exez_
Source: arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeC:
Source: arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeKd
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeW
Source: arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: arnatic_5.exe, 00000013.00000003.406395896.0000000003F62000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp String found in binary or memory: http://joinarts.top/check.php?publisher=ww2
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: http://joinarts.top/check.php?publisher=ww2&
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: http://joinarts.top/check.php?publisher=ww2C:
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp String found in binary or memory: http://joinarts.top/check.php?publisher=ww2I
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp String found in binary or memory: http://joinarts.top/check.php?publisher=ww2W
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291271193.0000000001FE0000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304539323.0000000064957000.00000008.00020000.sdmp String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: setup_install.exe, 00000007.00000003.296106978.0000000002710000.00000004.00000001.sdmp String found in binary or memory: http://motiwa.xyz/
Source: setup_install.exe, 00000007.00000003.296106978.0000000002710000.00000004.00000001.sdmp String found in binary or memory: http://motiwa.xyz/myip.phpaddInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=4addInstallImpression.p
Source: arnatic_5.exe, 00000013.00000003.421330234.0000000003F53000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406202096.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405510339.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp String found in binary or memory: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe
Source: arnatic_5.exe, 00000013.00000003.481529607.0000000003EB1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp String found in binary or memory: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exeC:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exev
Source: arnatic_5.exe, 00000013.00000003.440924023.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481412159.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487584514.0000000000B36000.00000004.00000020.sdmp String found in binary or memory: http://wfsdragon.ru/api/setStats.php
Source: arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll0
Source: arnatic_5.exe, 00000013.00000003.381215822.0000000003F66000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://xmtbsj.com/setup.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: http://xmtbsj.com/setup.exeC:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://xmtbsj.com/setup.exeg
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: http://xmtbsj.com/setup.exew
Source: arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/G
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859162831710846989/864849557661286400/Bear_Vpn.exe
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmp
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpmp
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp331/o
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpM
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpe
Source: arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpB
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpC:
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpM
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpY
Source: arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpp
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpq
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmp
Source: arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpC82860-4
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpmpH
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmp$
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmpC:
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmpp
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp1638Z0
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpmp
Source: arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp$
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpC:
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpHQ;
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpa
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmphP
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmptPo
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmp
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpB8A2D94-0
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpU
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456916586.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp1
Source: arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp=
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmpC:
Source: arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp%
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp-
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp5
Source: arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpB8A2D94-0A
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpC:
Source: arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpJ
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpurity.
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpM
Source: arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpMozilla/5.0
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440924023.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmp
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpC:
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpe
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpid
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmp
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmpF
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmperU
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmppF
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/928293476800532500/utube0501.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/928293476800532500/utube0501.bmpQb
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/930749897811062804/help1201.bmp
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/930849718240698368/Roll.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpH
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmphb
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmp?
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmpm
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpE
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpu
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931285223709225071/russ.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931285223709225071/russ.bmp=
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931469914336821298/softer1401.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931474583054352464/newt.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931474583054352464/newt.bmpe
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmpC
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmpW
Source: arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931494519592075284/27f_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931494519592075284/27f_1401.bmpbe
Source: arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931559821109493760/redcappes_crypted.bm
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931600723630764112/real1401.bmp
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304636347.000000006B4CC000.00000040.00020000.sdmp String found in binary or memory: https://curl.se/V
Source: setup_install.exe, 00000007.00000002.304593734.000000006B49E000.00000002.00020000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304636347.000000006B4CC000.00000040.00020000.sdmp String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: setup_install.exe, 00000007.00000003.295710094.0000000002710000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304593734.000000006B49E000.00000002.00020000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: https://db-ip.com/Entry
Source: setup_install.exe, 00000007.00000003.295885776.0000000002710000.00000004.00000001.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/
Source: arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480665699.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489778970.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeC:
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeI
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeJ
Source: arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeo
Source: arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeC:
Source: arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeI
Source: arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeg
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://innovicservice.net:80/
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: https://ipgeolocation.io/Content-Type:
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: https://ipinfo.io/:Content-Type:
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru/
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://iplis.ru/1G8Fx7.mp3
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://iplis.ru/1S3fd7.mp3
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp String found in binary or memory: https://iplis.ru/1S3fd7.mp3s
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru/ar1
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru/tr
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru/xs
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru:443/1G8Fx7.mp3tData.phpr
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: https://iplis.ru:443/1S3fd7.mp3
Source: arnatic_5.exe, 00000013.00000003.377558259.00000000065CD000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388114917.00000000078F9000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1epKp7http://watertecindia.com/watertec/fw%d.exehttp://watertecindia.com/watert
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp String found in binary or memory: https://s.lletlee.com/tmp/aaa_v002.dllxxxxxxxxxxxxxxxxxxxH
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp String found in binary or memory: https://sslamlssa1.tumblr.com/
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: https://sslamlssa1.tumblr.com/g
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com/
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com/W
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com/watertec/f.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com/watertec/f.exeC:
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com/watertec/f.exeh
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com:80/watertec/f.exe
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://watertecindia.com:80/watertec/f.exee
Source: setup_install.exe, 00000007.00000002.304418108.0000000002714000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304171315.000000000071C000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address//ids0Content-Type:
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp String found in binary or memory: https://www.tumblr.com
Source: arnatic_3.exe, 0000000F.00000002.445930986.00000000028E0000.00000004.00000040.sdmp, arnatic_3.exe, 0000000F.00000000.316865922.000000000019A000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp String found in binary or memory: https://www.tumblr.com/explore?referer=404
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp String found in binary or memory: https://www.tumblr.com/login
Source: arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp String found in binary or memory: https://www.tumblr.com/policy/en/privacy
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp String found in binary or memory: https://www.tumblr.com/register
Source: arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/A
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exe
Source: arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exe/&
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exeC:
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exeRI
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exer
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com:80/HR.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040B048 __EH_prolog3_GS,DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 15_2_0040B048

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: arnatic_3.exe, 0000000F.00000000.323836976.0000000000CDA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara Genericmalware
Source: Yara match File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected SmartSearch nstaller
Source: Yara match File source: 00000031.00000002.584879156.0000000002F70000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
PE file has a writeable .text section
Source: setup_install.exe.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
PE file contains section with special chars
Source: arnatic_6.txt.1.dr Static PE information: section name: !AHg.#
PE file has nameless sections
Source: arnatic_6.txt.1.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6764 -s 1092
Detected potential crypto function
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_0040BD85 1_2_0040BD85
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00403101 1_2_00403101
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00410138 1_2_00410138
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_004192A1 1_2_004192A1
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_0041937B 1_2_0041937B
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00416C70 1_2_00416C70
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00416536 1_2_00416536
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00417EC0 1_2_00417EC0
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00413ED0 1_2_00413ED0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004471E0 7_2_004471E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043C1A0 7_2_0043C1A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00431240 7_2_00431240
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00432260 7_2_00432260
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004112C0 7_2_004112C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040D340 7_2_0040D340
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040D300 7_2_0040D300
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043E3E0 7_2_0043E3E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00415380 7_2_00415380
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00442410 7_2_00442410
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00419520 7_2_00419520
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043B6A0 7_2_0043B6A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0044E870 7_2_0044E870
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00451870 7_2_00451870
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004148E0 7_2_004148E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040B8F0 7_2_0040B8F0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00441950 7_2_00441950
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00443A10 7_2_00443A10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00412B70 7_2_00412B70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043EB90 7_2_0043EB90
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040DBA0 7_2_0040DBA0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043CC50 7_2_0043CC50
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043DC50 7_2_0043DC50
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0043AC70 7_2_0043AC70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00434C10 7_2_00434C10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0042DD20 7_2_0042DD20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00416DB0 7_2_00416DB0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0047E2DC 15_2_0047E2DC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0042E2FC 15_2_0042E2FC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004543D0 15_2_004543D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004783F0 15_2_004783F0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00442470 15_2_00442470
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0045A489 15_2_0045A489
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00438570 15_2_00438570
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00468530 15_2_00468530
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004165AB 15_2_004165AB
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00426692 15_2_00426692
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00478885 15_2_00478885
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00478C23 15_2_00478C23
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00452C31 15_2_00452C31
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00478FF5 15_2_00478FF5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0047F0D0 15_2_0047F0D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00EAF5C0 19_2_00EAF5C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E47F20 19_2_00E47F20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E91F30 19_2_00E91F30
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E5F18B 19_2_00E5F18B
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E7BBF0 19_2_00E7BBF0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E5E3D0 19_2_00E5E3D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E7DB6C 19_2_00E7DB6C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E676C9 19_2_00E676C9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E92650 19_2_00E92650
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E6BE00 19_2_00E6BE00
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E48FC0 19_2_00E48FC0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E59F50 19_2_00E59F50
PE file contains strange resources
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_5.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_5.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: file3[1].exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Section loaded: libcurlpp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
PE file contains more sections than normal
Source: libstdc++-6.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: setup_install.exe.1.dr Static PE information: Number of sections : 18 > 10
Source: libcurlpp.dll.1.dr Static PE information: Number of sections : 18 > 10
Source: libcurl.dll.1.dr Static PE information: Number of sections : 19 > 10
Uses 32bit PE files
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 19.3.arnatic_5.exe.3f90944.32.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.79.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.arnatic_4.exe.d30000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.31.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.3.0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe.240787c.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.96.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.78.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.93.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.29.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.77.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.85.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.84.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.65.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.92.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.25.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.72.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.86.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.55.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.90.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.80.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.30.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.95.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.91.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.45.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.94.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.88.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.87.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.89.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000029.00000000.369507854.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000000.502724798.00000222CAB20000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000000.339935983.0000027CA9C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000003.550769073.0000024B7D150000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000000.323345262.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000029.00000003.567618984.000001D91AB50000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.680954201.0000000002F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000003.416182246.00000222CAAB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000003.322078967.0000024B7D060000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000003.572017693.000002F2C5C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000002.572434076.0000027CA9C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000003.386722260.000002F2C5B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.686091644.0000000004960000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000029.00000003.365240878.000001D91AA60000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000000.397801058.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000003.348602977.0000023342660000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000003.332963545.0000027CA9C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000003.561838327.0000023342760000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000000.350690670.00000233426D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000003.574644922.00000222CB140000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: String function: 0042A1C4 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: String function: 0046E270 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: String function: 00468161 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: String function: 00401016 appears 53 times
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: String function: 00403204 appears 37 times
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: String function: 00418D80 appears 123 times
PE file contains executable resources (Code or Archives)
Source: appforpr2[1].exe.19.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
PE file does not import any functions
Source: CC4F.tmp.13.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamelibcurl.dllB vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinPthreadGCp( vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp Binary or memory string: OriginalFilename$ vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDTDrop.dll. vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilename7zS.sfx.exe, vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291271193.0000000001FE0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinPthreadGCp( vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBear Vpn.exe4 vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoftPortal.exe6 vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: libstdc++-6.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: setup_install.exe.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: arnatic_2.txt.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: arnatic_3.txt.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: arnatic_8.txt.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: setup_install.exe.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libstdc++-6.dll.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libcurl.dll.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libcurlpp.dll.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: setup_install.exe.1.dr Static PE information: Section: .rdata ZLIB complexity 0.994055706522
Source: setup_install.exe.1.dr Static PE information: Section: /4 ZLIB complexity 1.00057768486
Source: setup_install.exe.1.dr Static PE information: Section: /91 ZLIB complexity 0.993885869565
Source: libstdc++-6.dll.1.dr Static PE information: Section: /4 ZLIB complexity 0.99873490767
Source: libstdc++-6.dll.1.dr Static PE information: Section: .reloc ZLIB complexity 1.00014648438
Source: arnatic_6.txt.1.dr Static PE information: Section: !AHg.# ZLIB complexity 1.00044194799
Source: libcurl.dll.1.dr Static PE information: Section: .rdata ZLIB complexity 0.993694196429
Source: libcurl.dll.1.dr Static PE information: Section: .reloc ZLIB complexity 0.996710526316
Source: libcurlpp.dll.1.dr Static PE information: Section: /4 ZLIB complexity 1.00268554688
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: Section: ZLIB complexity 1.00044194799
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: Section: ZLIB complexity 1.00537109375
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: Section: ZLIB complexity 1.00051229508
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: Section: ZLIB complexity 1.0107421875
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr Static PE information: Section: BSS ZLIB complexity 0.999471595677
Source: file3[1].exe.19.dr Static PE information: Section: .CRT ZLIB complexity 0.999274303072
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr Static PE information: Section: .CRT ZLIB complexity 0.999274303072
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File created: C:\Users\user\Documents\smNaHML3VmWpMtzp0xKVqAGa.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@72/24@0/30
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Virustotal: Detection: 64%
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File read: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe "C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe"
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe arnatic_2.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe arnatic_4.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe arnatic_7.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.exe arnatic_8.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6764 -s 1092
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 1112
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe"
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_00401020 CoInitialize,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize, 11_2_00401020
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main
Source: setup_install.exe String found in binary or memory: -stop
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static file information: File size 2831917 > 1048576
Source: Binary string: C:\xexic.pdb source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: G:\MyProject\StreetPlayer\ExtraProgram\DropTarget\x64\Release_EXE\DTDrop64.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source: Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source: Binary string: L9C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\jejenos75 sic-fopotepumazok\katikame.pdb source: arnatic_5.exe, 00000013.00000003.374716400.0000000007A9B000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389718434.0000000007B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.374635601.0000000007A79000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.408864251.0000000007D11000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source: Binary string: -C:\hapatepo_jaga\pulaciyegac\96\le.pdbhQE source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source: Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdb source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source: Binary string: C:\ruri weteveruj-57 picomamodige\secobud\nikume\hocu\f.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source: Binary string: _C:\xexic.pdbh source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source: Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source: Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdbhqE source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source: Binary string: C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdb source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp
Source: Binary string: C:\hapatepo_jaga\pulaciyegac\96\le.pdb source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source: Binary string: Dx 5C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdbh source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Unpacked PE file: 7.2.setup_install.exe.400000.0.unpack .text:EW;.data:W;.rdata:W;/4:W;.bss:W;.idata:W;.CRT:W;.tls:W;/14:W;/29:W;/41:W;/55:W;/67:W;/80:W;/91:W;/102:W;.data:EW;.adata:EW; vs .text:ER;.data:W;.rdata:R;/4:R;.bss:W;.idata:W;.CRT:W;.tls:W;/14:R;/29:R;/41:R;/55:R;/67:R;/80:R;/91:R;/102:R;.data:EW;.adata:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00414150 push ecx; mov dword ptr [esp], ecx 1_2_00414151
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00418D80 push eax; ret 1_2_00418D9E
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00418DB0 push eax; ret 1_2_00418DDE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0051B00A push ebp; ret 7_2_0051B00D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00482030 push eax; mov dword ptr [esp], esi 7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004660D0 push eax; mov dword ptr [esp], ebx 7_2_004661E6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004690F0 push edx; mov dword ptr [esp], ebx 7_2_004693B5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004690F0 push eax; mov dword ptr [esp], ebx 7_2_004693DF
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00459200 push eax; mov dword ptr [esp], ebx 7_2_004593C5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00466310 push eax; mov dword ptr [esp], ebx 7_2_00466425
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00457400 push eax; mov dword ptr [esp], ebx 7_2_004579F6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00468420 push edx; mov dword ptr [esp], ebx 7_2_00468631
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00468420 push eax; mov dword ptr [esp], ebx 7_2_0046864B
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00456490 push eax; mov dword ptr [esp], ebx 7_2_00456A90
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00469650 push edx; mov dword ptr [esp], ebx 7_2_00469915
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00469650 push eax; mov dword ptr [esp], ebx 7_2_0046993F
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004223CA push eax; mov dword ptr [esp], ebx 7_2_0049873A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004223CA push eax; mov dword ptr [esp], ebx 7_2_0049873A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004807B0 push eax; mov dword ptr [esp], esi 7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00456D90 push eax; mov dword ptr [esp], ebx 7_2_004573B8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00455E50 push eax; mov dword ptr [esp], ebx 7_2_00456450
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00460E70 push eax; mov dword ptr [esp], ebx 7_2_00461026
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00426E24 push eax; mov dword ptr [esp], esi 7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_004026A0 push eax; ret 11_2_004026CE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00468239 push ecx; ret 15_2_0046824C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0046E2B5 push ecx; ret 15_2_0046E2C8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E80AAF push ecx; ret 19_2_00E80AC2
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E395E6 push ecx; ret 19_2_00E395F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_00401E70 LoadLibraryA,LoadLibraryA,GetEnvironmentVariableW,GetEnvironmentVariableW,GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetConsoleWindow, 11_2_00401E70
Binary contains a suspicious time stamp
Source: CC4F.tmp.13.dr Static PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]
PE file contains sections with non-standard names
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: section name: .sxdata
Source: setup_install.exe.1.dr Static PE information: section name: /4
Source: setup_install.exe.1.dr Static PE information: section name: /14
Source: setup_install.exe.1.dr Static PE information: section name: /29
Source: setup_install.exe.1.dr Static PE information: section name: /41
Source: setup_install.exe.1.dr Static PE information: section name: /55
Source: setup_install.exe.1.dr Static PE information: section name: /67
Source: setup_install.exe.1.dr Static PE information: section name: /80
Source: setup_install.exe.1.dr Static PE information: section name: /91
Source: setup_install.exe.1.dr Static PE information: section name: /102
Source: setup_install.exe.1.dr Static PE information: section name: .adata
Source: libgcc_s_dw2-1.dll.1.dr Static PE information: section name: /4
Source: libstdc++-6.dll.1.dr Static PE information: section name: /4
Source: libstdc++-6.dll.1.dr Static PE information: section name: .aspack
Source: libstdc++-6.dll.1.dr Static PE information: section name: .adata
Source: arnatic_6.txt.1.dr Static PE information: section name: !AHg.#
Source: arnatic_6.txt.1.dr Static PE information: section name:
Source: libcurl.dll.1.dr Static PE information: section name: /4
Source: libcurl.dll.1.dr Static PE information: section name: /14
Source: libcurl.dll.1.dr Static PE information: section name: /29
Source: libcurl.dll.1.dr Static PE information: section name: /41
Source: libcurl.dll.1.dr Static PE information: section name: /55
Source: libcurl.dll.1.dr Static PE information: section name: /67
Source: libcurl.dll.1.dr Static PE information: section name: /80
Source: libcurl.dll.1.dr Static PE information: section name: .aspack
Source: libcurl.dll.1.dr Static PE information: section name: .adata
Source: libcurlpp.dll.1.dr Static PE information: section name: /4
Source: libcurlpp.dll.1.dr Static PE information: section name: /14
Source: libcurlpp.dll.1.dr Static PE information: section name: /29
Source: libcurlpp.dll.1.dr Static PE information: section name: /41
Source: libcurlpp.dll.1.dr Static PE information: section name: /55
Source: libcurlpp.dll.1.dr Static PE information: section name: /67
Source: libcurlpp.dll.1.dr Static PE information: section name: /80
Source: libcurlpp.dll.1.dr Static PE information: section name: .aspack
Source: libcurlpp.dll.1.dr Static PE information: section name: .adata
Source: CC4F.tmp.13.dr Static PE information: section name: RT
Source: CC4F.tmp.13.dr Static PE information: section name: .mrdata
Source: CC4F.tmp.13.dr Static PE information: section name: .00cfg
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name: .A4SqVtu
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: section name: .adata
Source: file3[1].exe.19.dr Static PE information: section name: .shared
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr Static PE information: section name: .shared
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr Static PE information: real checksum: 0x0 should be: 0xa87dd
Source: file4[1].exe.19.dr Static PE information: real checksum: 0x0 should be: 0x107921
Source: arnatic_6.txt.1.dr Static PE information: real checksum: 0x0 should be: 0x34718
Source: arnatic_1.txt.1.dr Static PE information: real checksum: 0x0 should be: 0xbc624
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr Static PE information: real checksum: 0x377549 should be: 0x377c40
Source: arnatic_7.txt.1.dr Static PE information: real checksum: 0x2bf14 should be: 0x29c3c
Source: LGWvGO5nGkFCrd4L2uFL5DeK.exe.19.dr Static PE information: real checksum: 0x0 should be: 0x107921
Source: arnatic_4.txt.1.dr Static PE information: real checksum: 0x0 should be: 0x11005
Source: arnatic_5.txt.1.dr Static PE information: real checksum: 0x0 should be: 0xdf48d
Source: HR[1].exe.19.dr Static PE information: real checksum: 0x0 should be: 0xa87dd
Source: _1UKif43Unz1FihnGsnEeFb1.exe.19.dr Static PE information: real checksum: 0x0 should be: 0x244c20
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Static PE information: real checksum: 0x0 should be: 0x2b8fbe
Source: yZeDvYwRNsEq5bdzAW5HeKXc.exe.19.dr Static PE information: real checksum: 0x0 should be: 0x159780
Source: initial sample Static PE information: section name: .text entropy: 7.99815017314
Source: initial sample Static PE information: section name: .text entropy: 7.99866963384
Source: initial sample Static PE information: section name: .text entropy: 7.37685364608
Source: initial sample Static PE information: section name: .text entropy: 7.94639918737
Source: initial sample Static PE information: section name: !AHg.# entropy: 7.99745375359
Source: initial sample Static PE information: section name: .text entropy: 7.83503470722
Source: initial sample Static PE information: section name: .text entropy: 7.99814642994
Source: initial sample Static PE information: section name: .text entropy: 7.9218416351
Source: initial sample Static PE information: section name: .text entropy: 6.85305507137
Source: initial sample Static PE information: section name: entropy: 7.99715676634
Source: initial sample Static PE information: section name: entropy: 7.90578074088
Source: initial sample Static PE information: section name: entropy: 7.99401213062
Source: initial sample Static PE information: section name: entropy: 7.78256634522
Source: initial sample Static PE information: section name: .rsrc entropy: 7.23339161013
Source: initial sample Static PE information: section name: .A4SqVtu entropy: 7.91915720311
Source: initial sample Static PE information: section name: BSS entropy: 7.99677259833
Source: initial sample Static PE information: section name: .CRT entropy: 7.99681649606
Source: initial sample Static PE information: section name: .CRT entropy: 7.99681649606
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libwinpthread-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libgcc_s_dw2-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe File created: C:\Users\user\AppData\Local\Temp\CC4F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libstdc++-6.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\CC4F.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe TID: 6560 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe TID: 6560 Thread sleep time: -195000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe TID: 5516 Thread sleep count: 42 > 30 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe API coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe API coverage: 4.9 %
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CC4F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 15_2_0040A5EA
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\ Jump to behavior
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\550
Source: arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp Binary or memory string: BLuSUGZKtWlFmFaRBHpfyEVMCitNB|q'<dhP#oM-+BbzY4*:B"('"
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWumblr.comLf
Source: arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp Binary or memory string: vmware
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp Binary or memory string: DetectVirtualMachine
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp Binary or memory string: VMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp Binary or memory string: e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp Binary or memory string: <Module>Bear Vpn.exeProgramStubRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorMainDownloadPayloadRunOnStartup.ctorExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatorurlregNameAppPathHidepathlpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeBear VpnEnvironmentExitSystem.ThreadingThreadSleepSystem.IOPathGetTempPathCombineFileWriteAllBytesSystem.NetServicePointManagerSecurityProtocolTypeset_SecurityProtocolWebRequestCreateHttpWebRequestset_MethodWebResponseGetResponseHttpWebResponseStreamGetResponseStreamMemoryStreamCopyToCloseDisposeToArrayIDisposableAppDomainget_CurrentDomainget_FriendlyNameStringConcatExistsAssemblyGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineOpenSubKeySetValueCurrentUserException.cctorSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_Currentget_ItemToStringToLowerop_EqualityToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticks
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00405FE9 GetSystemInfo, 1_2_00405FE9
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00404B47 FindFirstFileW, 1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose, 15_2_0040A24D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 15_2_004625DE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose, 15_2_00412D8E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 15_2_00404F13
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose, 15_2_00412F8E

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_00401E70 LoadLibraryA,LoadLibraryA,GetEnvironmentVariableW,GetEnvironmentVariableW,GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetConsoleWindow, 11_2_00401E70
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00401000 mov eax, dword ptr fs:[00000030h] 15_2_00401000
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E69389 mov eax, dword ptr fs:[00000030h] 19_2_00E69389
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0046E567 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0046E567
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0047CD87 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 15_2_0047CD87
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040115C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 7_2_0040115C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_00401150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit, 7_2_00401150
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040C18C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_0040C18C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040C190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_0040C190
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_004013C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit,_amsg_exit,_initterm, 7_2_004013C9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_0040419A SetUnhandledExceptionFilter, 11_2_0040419A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Code function: 11_2_004041AC SetUnhandledExceptionFilter, 11_2_004041AC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0046E567 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0046E567
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_00467018 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00467018
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E6CD9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00E6CD9E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E39758 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00E39758

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Process created: unknown unknown Jump to behavior
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 15_2_0047809C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 15_2_0047815C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 15_2_004781C3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 15_2_004781FF
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 15_2_004765FB
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 15_2_004768A6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 15_2_0047CAE9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 15_2_0047CBC3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: EnumSystemLocalesW, 19_2_00E7A89E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: EnumSystemLocalesW, 19_2_00E7A803
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: EnumSystemLocalesW, 19_2_00E769EA
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 19_2_00E7ACA4
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 19_2_00E7A540
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 19_2_00E7AE78
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: EnumSystemLocalesW, 19_2_00E7A7B8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: GetLocaleInfoW, 19_2_00E76F89
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Code function: 19_2_00E38A68 cpuid 19_2_00E38A68
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Code function: 7_2_0040C0E0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_0040C0E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_004710D2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 15_2_004710D2
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe Code function: 15_2_0045F39E GetUserNameA, 15_2_0045F39E
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe Code function: 1_2_00401951 GetVersionExW, 1_2_00401951

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disable Windows Defender real time protection (registry)
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0000002F.00000003.469242812.0000000000844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY
Yara Genericmalware
Source: Yara match File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED
Yara detected SmokeLoader
Source: Yara match File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.23e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.arnatic_3.exe.2480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.arnatic_3.exe.2480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.23e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: ElectrumLTC
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: ElectronCash
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Electrum\wallets\
Source: arnatic_3.exe String found in binary or memory: JaxxLiberty
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: window-state.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: exodus.conf.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Exodus\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: info.seco
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: ElectrumLTC
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: passphrase.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Ethereum\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: Exodus
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Ethereum\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: default_wallet
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: file__0.localstorage
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: MultiDoge
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: seed.seco
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: keystore
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED
Yara detected Credential Stealer
Source: Yara match File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe Directory queried: C:\Users\user\Documents Jump to behavior

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0000002F.00000003.469242812.0000000000844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY
Yara Genericmalware
Source: Yara match File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED
Yara detected SmokeLoader
Source: Yara match File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.23e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.arnatic_3.exe.2480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.arnatic_3.exe.2480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.arnatic_3.exe.23e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.arnatic_3.exe.23e0e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553373 Sample: 0CA57F85E88001EDD67DFF84428... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 64 176.111.174.254 WILWAWPL Russian Federation 2->64 66 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->66 68 4 other IPs or domains 2->68 88 Antivirus detection for URL or domain 2->88 90 Antivirus detection for dropped file 2->90 92 Antivirus / Scanner detection for submitted sample 2->92 94 16 other signatures 2->94 9 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe 16 2->9         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\setup_install.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\arnatic_8.txt, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\arnatic_7.txt, PE32+ 9->42 dropped 44 11 other files (6 malicious) 9->44 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 82 8.8.8.8 GOOGLEUS United States 12->82 84 104.21.12.59 CLOUDFLARENETUS United States 12->84 86 127.0.0.1 unknown unknown 12->86 56 C:\Users\user\...\arnatic_5.exe (copy), PE32 12->56 dropped 58 C:\Users\user\...\arnatic_3.exe (copy), PE32 12->58 dropped 60 C:\Users\user\...\arnatic_2.exe (copy), PE32 12->60 dropped 62 5 other files (none is malicious) 12->62 dropped 102 Detected unpacking (changes PE section rights) 12->102 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 4 other processes 12->23 file8 signatures9 process10 process11 25 arnatic_5.exe 4 76 17->25         started        30 arnatic_2.exe 19->30         started        32 arnatic_3.exe 12 21->32         started        34 arnatic_4.exe 14 2 23->34         started        36 arnatic_1.exe 2 23->36         started        dnsIp12 70 136.144.41.201 WORLDSTREAMNL Netherlands 25->70 72 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 25->72 80 16 other IPs or domains 25->80 46 C:\Users\...\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, PE32+ 25->46 dropped 48 C:\Users\user\AppData\Local\...\HR[1].exe, PE32 25->48 dropped 50 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 25->50 dropped 54 35 other files (10 malicious) 25->54 dropped 96 Found stalling execution ending in API Sleep call 25->96 98 Disable Windows Defender real time protection (registry) 25->98 52 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 30->52 dropped 100 DLL reload attack detected 30->100 74 74.114.154.18 AUTOMATTICUS Canada 32->74 76 162.159.129.233 CLOUDFLARENETUS United States 34->76 78 162.159.133.233 CLOUDFLARENETUS United States 34->78 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.209.157.230
 unknown Netherlands
18978 ENZUINC-US false
176.111.174.254
 unknown Russian Federation
201305 WILWAWPL false
172.67.177.36
 unknown United States
13335 CLOUDFLARENETUS false
212.193.30.45
 unknown Russian Federation
57844 SPD-NETTR false
212.193.30.29
 unknown Russian Federation
57844 SPD-NETTR false
2.56.59.245
 unknown Netherlands
395800 GBTCLOUDUS false
136.144.41.201
 unknown Netherlands
49981 WORLDSTREAMNL false
104.21.5.208
 unknown United States
13335 CLOUDFLARENETUS false
8.8.8.8
 unknown United States
15169 GOOGLEUS false
91.224.22.193
 unknown Russian Federation
197695 AS-REGRU false
104.21.12.59
 unknown United States
13335 CLOUDFLARENETUS false
148.251.234.83
 unknown Germany
24940 HETZNER-ASDE false
162.159.129.233
 unknown United States
13335 CLOUDFLARENETUS false
52.218.105.35
 unknown United States
16509 AMAZON-02US false
20.42.73.29
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
45.144.225.57
 unknown Netherlands
35913 DEDIPATH-LLCUS false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false
2.56.59.42
 unknown Netherlands
395800 GBTCLOUDUS false
34.117.59.81
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
103.235.105.121
 unknown India
17439 NETMAGIC-APNetmagicDatacenterMumbaiIN false
74.114.154.18
 unknown Canada
2635 AUTOMATTICUS false
188.165.5.107
 unknown France
16276 OVHFR false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false
20.189.173.22
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
194.38.23.114
 unknown Ukraine
40963 PRAID-ASRU false
35.205.61.67
 unknown United States
15169 GOOGLEUS false
148.251.234.93
 unknown Germany
24940 HETZNER-ASDE false
185.215.113.208
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Private
IP
192.168.2.1
127.0.0.1