Windows Analysis Report astro-grep-setup.exe.doc

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Memsys\ms.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: astro-grep-setup.exe.doc

Virustotal: Detection: 60%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Joe Sandbox ML: detected
Source: C:\ProgramData\Memsys\ms.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: astro-grep-setup.exe.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.2.astro-grep.exe.190000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.astro-grep.exe.190000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.ms.exe.b8b130.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.astro-grep.exe.190000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.ms.exe.b70000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.astro-grep.exe.190000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.ms.exe.b70000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.ms.exe.b8b130.2.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.22:49165 version: TLS 1.0

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\readme.txt			Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp
Source:	Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_00406033 FindFirstFileA,FindClose,		4_2_00406033
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		4_2_004055D1
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_00402688 FindFirstFileA,		4_2_00402688

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\Memsys\ms.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: ms.exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\ProgramData\Memsys\ms.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: pastebin.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.23.98.190:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.23.98.190:443

Allocates a big amount of memory (probably used for heap spraying)

Source: winword.exe

Memory has grown: Private usage: 0MB later: 53MB

Networking:

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 185.195.232.251:57667

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.22:49165 version: TLS 1.0

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{90768F62-679A-419C-A2B1-C0B28319F5E4}.tmp

Jump to behavior

Found strings which match to known social media urls

Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: pastebin.com

URLs found in memory or binary data

Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: ASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: astro-grep.exe, 0000000C.00000002.2652361514.0000000002344000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com
Source: ASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: ASTRO-GREP.EXE, 00000003.00000002.2441734010.000000000248A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmp, astro-grep.exe, 0000000E.00000002.2504792179.0000000004F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: https://nlog-project.org/
Source: astro-grep.exe, 0000000C.00000002.2652418016.000000000245A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: ASTRO-GREP.EXE, 00000003.00000002.2441616944.0000000002431000.00000004.00000001.sdmp, ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652178883.0000000000750000.00000004.00000020.sdmp, astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/VTByvKGM
Source: astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/VTByvKGMHD
Source: ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/VTByvKGMHD9m
Source: ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/VTByvKGMHD9mPHD9m0HD9m
Source: astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.comP
Source: astro-grep.exe, 0000000C.00000002.2652380939.0000000002368000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652361514.0000000002344000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Memsys\ms.exe, type: DROPPED

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00405086

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 24	Screenshot OCR: document is protected ' to avoid sensible data leak. Please click "Enable Content' to vy view de
Source: Screenshot number: 24	Screenshot OCR: PROTECTED DOCUMENT 4 " 4 This document is protected ' to avoid sensible data leak. Please click
Source: Screenshot number: 24	Screenshot OCR: Enable Content' to vy view decrypted message I O "g" ' 0' "' I Wo"" ' I I 13 70% G) A GE
Source: Document image extraction number: 0	Screenshot OCR: document is protected to avoid sensible data leak. Please click "Enable Content" to view decrypte
Source: Document image extraction number: 0	Screenshot OCR: PROTECTED DOCUMENT This document is protected to avoid sensible data leak. Please click "Enable C
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" to view decrypted message
Source: Document image extraction number: 1	Screenshot OCR: document is protected to avoid sensible data leak. Please click "Enable Content" to view decrypte
Source: Document image extraction number: 1	Screenshot OCR: PROTECTED DOCUMENT This document is protected to avoid sensible data leak. Please click "Enable C
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" to view decrypted message
Source: Screenshot number: 28	Screenshot OCR: PROTECTED DOCUMENT 4 " 4 Thl cument is protected ' to jg; sensible data leak. Please click "Ena
Source: Screenshot number: 28	Screenshot OCR: Enable Content' to view decrypted message i i I ft Cl =~ 1,G) O "g" ' 0' "' I Wo"" ' I I

Document contains an embedded VBA macro which may execute processes

Source: astro-grep-setup.exe.doc

OLE, VBA macro line: OBsGG = Shell(vbHH, 1)

Document contains an embedded VBA macro with suspicious strings

Source: astro-grep-setup.exe.doc	OLE, VBA macro line: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
Source: astro-grep-setup.exe.doc	OLE, VBA macro line: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function RemoveParagraph, String environ: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))			Name: RemoveParagraph
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function o______XX16041118053, String environ: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))			Name: o______XX16041118053

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyVkZOVWRXV0doVllteEtXRmxVUm5kVU1WcHpXa2M1VjFadGVEQlpNM0JIVm1zeFdHVkliRmRpVkZaeVZtMHhTMUl5VGtsaVJtUlhUVEZLVFZac1ZtRldNVnBXVFZWV2FHVnFRVGs9
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVbTVrVmxKc2NIcFhhMXBQVjBaS2MySkVUbGhoTWsweFZtcEJlRll5U2tWVWJHaG9UV3N3ZUZacVFtRlRNazE1VTJ0V1ZXSkhhRzlVVmxaM1ZsWmFkR05GWkZSTmJFcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1pFWlNUbFpVVmtwV2JURXdWakZXZEZOc1dsaGlSMmhZV1ZkMFlWUkdWWGhYYlVaclVqQTFSMVV5TVRSVk1rcFhVMnR3VjJKVVJYZFdha1pYWkVaT2MxZHNhR2xTYTNCWlYxZDRiMkl5Vm5OVmJGWlRZbGhTV0ZSV2FFTlNiRnBZWlVaT1ZXSlZjRWRaTUZaM1ZqSktWVkpZWkZwbGEzQklXWHBHVDJSV1ZuTlhiV3hvVFVoQ1dWWXhaRFJpTVZWM1RVaG9WMWRIYUZsWmJHaFRWMFpTVjJGRlRsUmlSM1F6VjJ0U1UxWnJNWEpqUm1oV1RXNW9lbFpxUm1GT2JFWlpZVVprVTFKV2NEWldiWEJIVkRKU1YxVnVVbXBTYkVwVVZteG9RMWRXV1hoYVJGSnBUVlpXTTFSVmFHOVdiVXB6VTI1T1ZtRnJTbWhaTVZwVFZqRndSMVJyTlZOaVJtOTNWMnhXYTAxR1dsaFRhMlJxVWtWYVYxWnFUbTlrYkZweFVtdDBhazFyTlVoWlZWcHJZVWRGZWxGcmJGZFdSVXBvVjFaa1UxWXhUblZVYkZKcFVqRktWVlpHVWtKa01ERlNVRlF3UFE9PQ==
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0=
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyUXlVWGxXYTJoV1YwZG9WVll3WkRSV1JsbDNXa1pPVmxKc2NIcFhhMk0xVmpGYWMySkVUbGhoTWsweFZtcEJlRmRIVmtWUmJVWlhWbXhzTTFadGNFSmxSbVJJVm10c2FWSnRhRzlVVm1oRFZWWmtWMXBFVWxwV01ERTBWMnRvUjFWdFNrZFhiR2hhWVRGYU0xWnNXbXRXTVdSelYyMTRVMkpIZHpCV01uUnZWakpHUjFOdVVsWmlSa3BvVm1wT1UxbFdjRmhsUjBacVRWWndNRlZ0ZUd0VWJGcDFVV3hvVjFKc2NGaFdha3BIVTBaYWRWSnNTbGRTTTAwMQ==
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function Wipedir, String Vm0wd2QyUXlVWGxXYTFwUFZsZFNXRll3Wkc5V2JGbDNXa2M1VjAxV2JETlhhMUpUVjBaS2RHVkliRmhoTWsweFZtcEdTMlJIVmtsaVJtaG9UVlZ3VlZadE1YcGxSbVJJVm10a2FWSXdXbFJXYlhoelRURmtWMWRzV214U2JHdzFWa2QwVjFVeVNrbFJhemxXWWxSV1JGcFdXbXRXTVZaeVdrWndWMDFFUlRCV2EyTXhVekpHVjFOWVpGaGlSa3BZV1ZkMFlWUkdWWGhYYlhSWFRWaENSbFpYZUZOaFZscHlWMVJHVjJFeVVYZFhWbVJIVmpGT2RWVnNXbWxoTUhCWlZrWldhMVV5VW5OWGJrNVlZbGhTV1ZWcVJrdFRWbFowVFZjNVZXSkdjRnBWVjNCWFZqRkplbUZHYUZwbGExcDZWbXBHVDJSV1ZuUmhSbEpUVmxoQ1dWWXhXbXROUmtwMFZWaG9WbUpHY0ZsWmJGWmhZMVpTVjFkdVpFNVNiRm93VkZab2ExWlhTbFpqUldSYVRVWmFNMVpxU2tabFZsWlpXa1p3YUdFelFrMVdWM0JIVkRKU1YxZHVUbFJpVjJoeldXeG9iMWRHV25STlNHaFBVbTE0V0ZZeGFHOVdiVXB5VGxaU1YyRXlVVEJXVjNoaFZqRldXVnBHUWxaV1JFRTE=
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function o______XX16041118053, String Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0=

Document contains an embedded VBA with hexadecimal encoded strings

Source: astro-grep-setup.exe.doc

Stream path 'VBA/NewMacros' : found hex strings

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\Memsys\ms.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\ProgramData\Memsys\ms.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040310F

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_001D3868		3_2_001D3868
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_001D4540		3_2_001D4540
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_001D3520		3_2_001D3520
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_004048C5		4_2_004048C5
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_004064CB		4_2_004064CB
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_00406CA2		4_2_00406CA2
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_001B3868		12_2_001B3868
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_001B4540		12_2_001B4540
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_001B3520		12_2_001B3520

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: astro-grep-setup.exe.doc	OLE, VBA macro line: Sub AutoOpen()
Source: astro-grep-setup.exe.doc	OLE, VBA macro line: Private Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen			Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function Workbook_Open			Name: Workbook_Open

Document contains embedded VBA macros

Source: astro-grep-setup.exe.doc

OLE indicator, VBA macros: true

Document contains no OLE stream with summary information

Source: astro-grep-setup.exe.doc

OLE indicator has summary info: false

Document has an unknown application name

Source: astro-grep-setup.exe.doc

OLE indicator application name: unknown

PE file contains executable resources (Code or Archives)

Source: ms.exe.0.dr	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: ms.exe.0.dr	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: ms.exe.0.dr	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

PE file contains strange resources

Source: ASTROGREP_SETUP_V4.4.7.EXE.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASTROGREP_SETUP_V4.4.7.EXE.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASTROGREP_SETUP_V4.4.7.EXE.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AstroGrep.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file overlay found

Source: ms.exe.0.dr

Static PE information: Data appended to the last section found

Unable to load, office file is protected or invalid

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window title found: astrogrep v4.4.7 setup < &backi &agreecancelnullsoft install system v3.0rc1 nullsoft install system v3.0rc1license agreementplease review the license terms before installing astrogrep v4.4.7.press page down to see the rest of the agreement. gnu general public license version 2 june 1991 copyright (c) 1989 1991 free software foundation inc. 59 temple place suite 330 boston ma 02111-1307 usa everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. preamble the licenses for most software are designed to take away yourfreedom to share and change it. by contrast the gnu general publiclicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. thisgeneral public license applies to most of the free softwarefoundation's software and to any other program whose authors commit tousing it. (some other free software foundation software is covered bythe gnu library general public license instead.) you can apply it toyour programs too. when we speak of free software we are referring to freedom notprice. our general public licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. to protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.these restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. for example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. you must make sure that they too receive or can get thesource code. and you must show them these terms so they know theirrights. we protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. if the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. finally any free program is threatened constantly by softwarepatents. we wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. to prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. the precise terms and conditions for copying distribution andmodification follow.

Yara signature match

Source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: C:\ProgramData\Memsys\ms.exe, type: DROPPED	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541

.NET source code contains long base64-encoded strings

Source: ASTRO-GREP.EXE.2.dr, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: astro-grep.exe.3.dr, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 12.2.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 12.0.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 14.0.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 14.2.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0

.NET source code contains many API calls related to security

Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ASTRO-GREP.EXE.2.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ASTRO-GREP.EXE.2.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Binary contains paths to development resources

Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/36@1/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040310F

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404352

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_0040205E CoCreateInstance,MultiByteToWideChar,

4_2_0040205E

Contains functionality to load and extract PE file embedded resources

Source: C:\ProgramData\Memsys\ms.exe

Code function: 2_2_00B71AD0 FindResourceA,LoadResource,SizeofResource,LockResource,_memset,_memmove,FreeResource,

2_2_00B71AD0

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

File created: C:\Program Files (x86)\AstroGrep

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$tro-grep-setup.exe.doc

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB3D4.tmp

Jump to behavior

Document contains summary information with irregular field values

Source: astro-grep-setup.exe.doc	OLE document summary: title field not present or empty
Source: astro-grep-setup.exe.doc	OLE document summary: author field not present or empty
Source: astro-grep-setup.exe.doc	OLE document summary: edited time not present or 0

Executes batch files

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''

Found command line output

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.............................B.................(.....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................H&!.....(.P.....................................................................................................			Jump to behavior

Might use command line arguments

Source: C:\ProgramData\Memsys\ms.exe	Command line argument: shell32.dll		2_2_00B71320
Source: C:\ProgramData\Memsys\ms.exe	Command line argument: ShellExecuteA		2_2_00B71320
Source: C:\ProgramData\Memsys\ms.exe	Command line argument: RBIND		2_2_00B71320

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\ProgramData\Memsys\ms.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Sample is known by Antivirus

Source: astro-grep-setup.exe.doc

Virustotal: Detection: 60%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\ProgramData\Memsys\ms.exe C:\ProgramData\Memsys\ms.exe
Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {E0184388-4CC0-4E79-AF38-011207705295} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\ProgramData\Memsys\ms.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: astro-grep-setup.exe.doc

Static file information: File size 1446736 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp
Source:	Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: ASTRO-GREP.EXE.2.dr, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: astro-grep.exe.3.dr, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.2.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\Memsys\ms.exe

Code function: 2_2_00B76260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00B76260

PE file contains an invalid checksum

Source: ASTROGREP_SETUP_V4.4.7.EXE.2.dr	Static PE information: real checksum: 0x0 should be: 0xea31c
Source: ms.exe.0.dr	Static PE information: real checksum: 0x105a08 should be: 0x31c25
Source: astro-grep.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xff1e
Source: AstroGrep.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x900c7
Source: ASTRO-GREP.EXE.2.dr	Static PE information: real checksum: 0x0 should be: 0xff1e

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\Memsys\ms.exe	Code function: 2_2_00B74485 push ecx; ret		2_2_00B74498
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00927399 push es; ret		3_2_00927608
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_0092711F push cs; iretd		3_2_00927202
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00922F81 push eax; ret		3_2_00922F95
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_0092710D push cs; iretd		3_2_00927202
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00924122 push eax; ret		3_2_0092412C
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00922A66 push 0000003Eh; retn 0000h		3_2_00922DC0
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_00197399 push es; ret		12_2_00197608
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_0019711F push cs; iretd		12_2_00197202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_0019710D push cs; iretd		12_2_00197202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_00192F81 push eax; ret		12_2_00192F95
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_00194122 push eax; ret		12_2_0019412C
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 12_2_00192A66 push 0000003Eh; retn 0000h		12_2_00192DC0

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File created: C:\Users\user\AppData\Roaming\astro-grep.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\ProgramData\Memsys\ms.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\NLog.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\StartMenu.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\libAstroGrep.dll			Jump to dropped file
Source: C:\ProgramData\Memsys\ms.exe	File created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\nsDialogs.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe			Jump to dropped file
Source: C:\ProgramData\Memsys\ms.exe	File created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\Uninstall.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\Memsys\ms.exe

Jump to dropped file

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\readme.txt			Jump to behavior

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Memsys\ms.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AsyncRAT

Source: Yara match	File source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Memsys\ms.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ASTRO-GREP.EXE, astro-grep.exe

Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped PE file which has not been started: C:\ProgramData\Memsys\ms.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\NLog.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\libAstroGrep.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\Uninstall.exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 2984	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 2984	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2500	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 2700	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 2576	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 1100	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_00406033 FindFirstFileA,FindClose,		4_2_00406033
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		4_2_004055D1
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 4_2_00402688 FindFirstFileA,		4_2_00402688

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\astro-grep.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: astro-grep.exe	Binary or memory string: vmware
Source: ASTRO-GREP.EXE, 00000003.00000002.2441362969.000000000050C000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000003.2477256410.00000000005D3000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Code function: 3_2_001D41B4 CheckRemoteDebuggerPresent,

3_2_001D41B4

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\Memsys\ms.exe

Code function: 2_2_00B73BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00B73BEC

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\Memsys\ms.exe

Code function: 2_2_00B76260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00B76260

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\ProgramData\Memsys\ms.exe	Code function: 2_2_00B74991 SetUnhandledExceptionFilter,		2_2_00B74991
Source: C:\ProgramData\Memsys\ms.exe	Code function: 2_2_00B73BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_00B73BEC
Source: C:\ProgramData\Memsys\ms.exe	Code function: 2_2_00B72701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_00B72701

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'			Jump to behavior
Source: C:\ProgramData\Memsys\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Queries volume information: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\Program Files (x86)\AstroGrep\AstroGrep.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\Program Files (x86)\AstroGrep\Uninstall.exe VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\ProgramData\Memsys\ms.exe

Code function: 2_2_00B75173 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00B75173

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 4_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405D51

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Memsys\ms.exe, type: DROPPED