Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report astro-grep-setup.exe.doc

Overview

General Information

Sample Name:astro-grep-setup.exe.doc
Analysis ID:450275
MD5:9c3d3679ea84ff9bf67bf8c7aa2afc48
SHA1:0470d616e8918ef03098741bf7fb0b313bb8aaea
SHA256:2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
Tags:AstroGrepdoc
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains strange resources
PE file overlay found
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Unable to load, office file is protected or invalid
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2788 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • ms.exe (PID: 1260 cmdline: C:\ProgramData\Memsys\ms.exe MD5: DBBB611DAF3ABD47972AE4FAF5D54C95)
      • ASTRO-GREP.EXE (PID: 2432 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
        • cmd.exe (PID: 1784 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit MD5: AD7B9C14083B52BC532FBA5948342B98)
          • schtasks.exe (PID: 2220 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • cmd.exe (PID: 1068 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat'' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2288 cmdline: timeout 3 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
          • astro-grep.exe (PID: 1428 cmdline: 'C:\Users\user\AppData\Roaming\astro-grep.exe' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
      • ASTROGREP_SETUP_V4.4.7.EXE (PID: 2328 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE' MD5: A708211241313FEAF9621E571631534D)
  • taskeng.exe (PID: 2320 cmdline: taskeng.exe {E0184388-4CC0-4E79-AF38-011207705295} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • astro-grep.exe (PID: 2468 cmdline: C:\Users\user\AppData\Roaming\astro-grep.exe MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\astro-grep.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\ProgramData\Memsys\ms.exeMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
      • 0xa0a8:$x4: C:\Users\DarkCoderSc\
      • 0xa0c5:$x5: Celesty Binder\Stub\STATIC\Stub.pdb
      C:\ProgramData\Memsys\ms.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 6 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  12.2.astro-grep.exe.190000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    3.2.ASTRO-GREP.EXE.920000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      14.0.astro-grep.exe.190000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          12.0.astro-grep.exe.190000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                            Click to see the 11 entries

                            Sigma Overview

                            System Summary:

                            barindex
                            Sigma detected: Regsvr32 AnomalyShow sources
                            Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, NewProcessName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, OriginalFileName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, ParentCommandLine: C:\ProgramData\Memsys\ms.exe, ParentImage: C:\ProgramData\Memsys\ms.exe, ParentProcessId: 1260, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , ProcessId: 2432

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\ProgramData\Memsys\ms.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: astro-grep-setup.exe.docVirustotal: Detection: 60%Perma Link
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoe Sandbox ML: detected
                            Source: C:\ProgramData\Memsys\ms.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: astro-grep-setup.exe.docJoe Sandbox ML: detected
                            Source: 12.2.astro-grep.exe.190000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 14.0.astro-grep.exe.190000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 3.2.ASTRO-GREP.EXE.920000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 2.0.ms.exe.b8b130.1.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: 12.0.astro-grep.exe.190000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 2.2.ms.exe.b70000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 14.2.astro-grep.exe.190000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 3.0.ASTRO-GREP.EXE.920000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 2.0.ms.exe.b70000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 2.2.ms.exe.b8b130.2.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.22:49165 version: TLS 1.0
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00406033 FindFirstFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00402688 FindFirstFileA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                            Software Vulnerabilities:

                            barindex
                            Document exploit detected (creates forbidden files)Show sources
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\ProgramData\Memsys\ms.exeJump to behavior
                            Document exploit detected (drops PE files)Show sources
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: ms.exe.0.drJump to dropped file
                            Document exploit detected (process start blacklist hit)Show sources
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\ProgramData\Memsys\ms.exe
                            Source: global trafficDNS query: name: pastebin.com
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.23.98.190:443
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.23.98.190:443
                            Source: winword.exeMemory has grown: Private usage: 0MB later: 53MB

                            Networking:

                            barindex
                            Connects to a pastebin service (likely for C&C)Show sources
                            Source: unknownDNS query: name: pastebin.com
                            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.195.232.251:57667
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.22:49165 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{90768F62-679A-419C-A2B1-C0B28319F5E4}.tmpJump to behavior
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                            Source: unknownDNS traffic detected: queries for: pastebin.com
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                            Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                            Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                            Source: astro-grep.exe, 0000000C.00000002.2652361514.0000000002344000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2441734010.000000000248A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                            Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmp, astro-grep.exe, 0000000E.00000002.2504792179.0000000004F70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                            Source: ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpString found in binary or memory: https://nlog-project.org/
                            Source: astro-grep.exe, 0000000C.00000002.2652418016.000000000245A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
                            Source: astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2441616944.0000000002431000.00000004.00000001.sdmp, ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652178883.0000000000750000.00000004.00000020.sdmp, astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGM
                            Source: astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGMHD
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGMHD9m
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGMHD9mPHD9m0HD9m
                            Source: astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comP
                            Source: astro-grep.exe, 0000000C.00000002.2652380939.0000000002368000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652361514.0000000002344000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                            Source: astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165

                            Key, Mouse, Clipboard, Microphone and Screen Capturing:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Memsys\ms.exe, type: DROPPED
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                            System Summary:

                            barindex
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                            Source: Screenshot number: 24Screenshot OCR: document is protected ' to avoid sensible data leak. Please click "Enable Content' to vy view de
                            Source: Screenshot number: 24Screenshot OCR: PROTECTED DOCUMENT 4 " 4 This document is protected ' to avoid sensible data leak. Please click
                            Source: Screenshot number: 24Screenshot OCR: Enable Content' to vy view decrypted message I O "g" ' 0' "' I Wo"" ' I I 13 70% G) A GE
                            Source: Document image extraction number: 0Screenshot OCR: document is protected to avoid sensible data leak. Please click "Enable Content" to view decrypte
                            Source: Document image extraction number: 0Screenshot OCR: PROTECTED DOCUMENT This document is protected to avoid sensible data leak. Please click "Enable C
                            Source: Document image extraction number: 0Screenshot OCR: Enable Content" to view decrypted message
                            Source: Document image extraction number: 1Screenshot OCR: document is protected to avoid sensible data leak. Please click "Enable Content" to view decrypte
                            Source: Document image extraction number: 1Screenshot OCR: PROTECTED DOCUMENT This document is protected to avoid sensible data leak. Please click "Enable C
                            Source: Document image extraction number: 1Screenshot OCR: Enable Content" to view decrypted message
                            Source: Screenshot number: 28Screenshot OCR: PROTECTED DOCUMENT 4 " 4 Thl cument is protected ' to jg; sensible data leak. Please click "Ena
                            Source: Screenshot number: 28Screenshot OCR: Enable Content' to view decrypted message i i I ft Cl =~ 1,G) O "g" ' 0' "' I Wo"" ' I I
                            Document contains an embedded VBA macro which may execute processesShow sources
                            Source: astro-grep-setup.exe.docOLE, VBA macro line: OBsGG = Shell(vbHH, 1)
                            Document contains an embedded VBA macro with suspicious stringsShow sources
                            Source: astro-grep-setup.exe.docOLE, VBA macro line: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
                            Source: astro-grep-setup.exe.docOLE, VBA macro line: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function RemoveParagraph, String environ: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function o______XX16041118053, String environ: o______XX2233213199 = Environ(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0="))))))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlVWGxWV0d4V1YwZDRXRmxVU205V01WbDNXa2M1VjFKc2JETlhhMk0xVjBaYWMySkVUbGhoTWsweFZqQmFZV1JIVmtWUmJVWlhWbXhzTTFacVFtRlRNbEpJVm10a1dHSkdjRTlaVjNSR1pVWmFkR05GWkZwV01VcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1drWndWMDFWY0VwV2JURXdZekpHVjFOdVVtaFNlbXhXVm0xNFlVMHhXbk5YYlVaclVqQTFSMXBGV2xOVWJGcFZWbXR3VjJKVVJYZFpWRXBIVmpGT1dWcEdhR2xTTW1oWlYxWmtNRmxXVWtkV1dHaFlZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSbGRaTUZwelZqRmFObEZZYUZabGEzQklXWHBHVDJSV1duTlRiV3hYVWpOb2IxWnRjRU5pTVVWNFdrVmthbEp0VWxsWmJGWmhZMVpTVjFkdVpFNVNiRm93V2xWa01GWlhTa2RqUkVaV1ZqTm9kbFpxUmt0ak1rNUhZVVprYUdFelFrbFdWRUpoV1ZkU1YxTnVUbFJpUjFKVVZGUkJkMDFSUFQwPQ=="))))))))))))))
                            Document contains an embedded VBA with base64 encoded stringsShow sources
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyVkZOVWRXV0doVllteEtXRmxVUm5kVU1WcHpXa2M1VjFadGVEQlpNM0JIVm1zeFdHVkliRmRpVkZaeVZtMHhTMUl5VGtsaVJtUlhUVEZLVFZac1ZtRldNVnBXVFZWV2FHVnFRVGs9
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVbTVrVmxKc2NIcFhhMXBQVjBaS2MySkVUbGhoTWsweFZtcEJlRll5U2tWVWJHaG9UV3N3ZUZacVFtRlRNazE1VTJ0V1ZXSkhhRzlVVmxaM1ZsWmFkR05GWkZSTmJFcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1pFWlNUbFpVVmtwV2JURXdWakZXZEZOc1dsaGlSMmhZV1ZkMFlWUkdWWGhYYlVaclVqQTFSMVV5TVRSVk1rcFhVMnR3VjJKVVJYZFdha1pYWkVaT2MxZHNhR2xTYTNCWlYxZDRiMkl5Vm5OVmJGWlRZbGhTV0ZSV2FFTlNiRnBZWlVaT1ZXSlZjRWRaTUZaM1ZqSktWVkpZWkZwbGEzQklXWHBHVDJSV1ZuTlhiV3hvVFVoQ1dWWXhaRFJpTVZWM1RVaG9WMWRIYUZsWmJHaFRWMFpTVjJGRlRsUmlSM1F6VjJ0U1UxWnJNWEpqUm1oV1RXNW9lbFpxUm1GT2JFWlpZVVprVTFKV2NEWldiWEJIVkRKU1YxVnVVbXBTYkVwVVZteG9RMWRXV1hoYVJGSnBUVlpXTTFSVmFHOVdiVXB6VTI1T1ZtRnJTbWhaTVZwVFZqRndSMVJyTlZOaVJtOTNWMnhXYTAxR1dsaFRhMlJxVWtWYVYxWnFUbTlrYkZweFVtdDBhazFyTlVoWlZWcHJZVWRGZWxGcmJGZFdSVXBvVjFaa1UxWXhUblZVYkZKcFVqRktWVlpHVWtKa01ERlNVRlF3UFE9PQ==
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0=
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function RemoveParagraph, String Vm0wd2QyUXlVWGxXYTJoV1YwZG9WVll3WkRSV1JsbDNXa1pPVmxKc2NIcFhhMk0xVmpGYWMySkVUbGhoTWsweFZtcEJlRmRIVmtWUmJVWlhWbXhzTTFadGNFSmxSbVJJVm10c2FWSnRhRzlVVm1oRFZWWmtWMXBFVWxwV01ERTBWMnRvUjFWdFNrZFhiR2hhWVRGYU0xWnNXbXRXTVdSelYyMTRVMkpIZHpCV01uUnZWakpHUjFOdVVsWmlSa3BvVm1wT1UxbFdjRmhsUjBacVRWWndNRlZ0ZUd0VWJGcDFVV3hvVjFKc2NGaFdha3BIVTBaYWRWSnNTbGRTTTAwMQ==
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function Wipedir, String Vm0wd2QyUXlVWGxXYTFwUFZsZFNXRll3Wkc5V2JGbDNXa2M1VjAxV2JETlhhMUpUVjBaS2RHVkliRmhoTWsweFZtcEdTMlJIVmtsaVJtaG9UVlZ3VlZadE1YcGxSbVJJVm10a2FWSXdXbFJXYlhoelRURmtWMWRzV214U2JHdzFWa2QwVjFVeVNrbFJhemxXWWxSV1JGcFdXbXRXTVZaeVdrWndWMDFFUlRCV2EyTXhVekpHVjFOWVpGaGlSa3BZV1ZkMFlWUkdWWGhYYlhSWFRWaENSbFpYZUZOaFZscHlWMVJHVjJFeVVYZFhWbVJIVmpGT2RWVnNXbWxoTUhCWlZrWldhMVV5VW5OWGJrNVlZbGhTV1ZWcVJrdFRWbFowVFZjNVZXSkdjRnBWVjNCWFZqRkplbUZHYUZwbGExcDZWbXBHVDJSV1ZuUmhSbEpUVmxoQ1dWWXhXbXROUmtwMFZWaG9WbUpHY0ZsWmJGWmhZMVpTVjFkdVpFNVNiRm93VkZab2ExWlhTbFpqUldSYVRVWmFNMVpxU2tabFZsWlpXa1p3YUdFelFrMVdWM0JIVkRKU1YxZHVUbFJpVjJoeldXeG9iMWRHV25STlNHaFBVbTE0V0ZZeGFHOVdiVXB5VGxaU1YyRXlVVEJXVjNoaFZqRldXVnBHUWxaV1JFRTE=
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function o______XX16041118053, String Vm0weE5GbFdiRmRYV0dSUFZsZFNWMWxyWkZOWFZteHlXa1pPVjJKSGVGWlZiVFZyVmpBeFdHVkliRmRpUmtwSVZtMHhTMUl5VGtkaVJuQk9UVEJLV1Zac1VrSmxSbHB5VGxaa1lWSXdXbGhXYlhoM1lVWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0=
                            Document contains an embedded VBA with hexadecimal encoded stringsShow sources
                            Source: astro-grep-setup.exe.docStream path 'VBA/NewMacros' : found hex strings
                            Office process drops PE fileShow sources
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\ProgramData\Memsys\ms.exeJump to dropped file
                            Source: C:\ProgramData\Memsys\ms.exeMemory allocated: 76E20000 page execute and read and write
                            Source: C:\ProgramData\Memsys\ms.exeMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEMemory allocated: 76E20000 page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEMemory allocated: 76E20000 page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E20000 page execute and read and write
                            Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMemory allocated: 76E20000 page execute and read and write
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMemory allocated: 76E20000 page execute and read and write
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMemory allocated: 76D20000 page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_001D3868
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_001D4540
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_001D3520
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_004048C5
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_004064CB
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00406CA2
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_001B3868
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_001B4540
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_001B3520
                            Source: astro-grep-setup.exe.docOLE, VBA macro line: Sub AutoOpen()
                            Source: astro-grep-setup.exe.docOLE, VBA macro line: Private Sub Workbook_Open()
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function AutoOpen
                            Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function Workbook_Open
                            Source: astro-grep-setup.exe.docOLE indicator, VBA macros: true
                            Source: astro-grep-setup.exe.docOLE indicator has summary info: false
                            Source: astro-grep-setup.exe.docOLE indicator application name: unknown
                            Source: ms.exe.0.drStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ms.exe.0.drStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ms.exe.0.drStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: AstroGrep.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exe.0.drStatic PE information: Data appended to the last section found
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow title found: astrogrep v4.4.7 setup < &backi &agreecancelnullsoft install system v3.0rc1 nullsoft install system v3.0rc1license agreementplease review the license terms before installing astrogrep v4.4.7.press page down to see the rest of the agreement. gnu general public license version 2 june 1991 copyright (c) 1989 1991 free software foundation inc. 59 temple place suite 330 boston ma 02111-1307 usa everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. preamble the licenses for most software are designed to take away yourfreedom to share and change it. by contrast the gnu general publiclicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. thisgeneral public license applies to most of the free softwarefoundation's software and to any other program whose authors commit tousing it. (some other free software foundation software is covered bythe gnu library general public license instead.) you can apply it toyour programs too. when we speak of free software we are referring to freedom notprice. our general public licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. to protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.these restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. for example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. you must make sure that they too receive or can get thesource code. and you must show them these terms so they know theirrights. we protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. if the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. finally any free program is threatened constantly by softwarepatents. we wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. to prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. the precise terms and conditions for copying distribution andmodification follow.
                            Source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: C:\ProgramData\Memsys\ms.exe, type: DROPPEDMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: ASTRO-GREP.EXE.2.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: astro-grep.exe.3.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 12.2.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 12.0.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 14.0.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 14.2.astro-grep.exe.190000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ASTRO-GREP.EXE.2.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: ASTRO-GREP.EXE.2.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 14.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 14.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 12.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 12.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 14.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 14.2.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 12.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 12.0.astro-grep.exe.190000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                            Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@20/36@1/2
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_0040205E CoCreateInstance,MultiByteToWideChar,
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B71AD0 FindResourceA,LoadResource,SizeofResource,LockResource,_memset,_memmove,FreeResource,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrepJump to behavior
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$tro-grep-setup.exe.docJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB3D4.tmpJump to behavior
                            Source: astro-grep-setup.exe.docOLE document summary: title field not present or empty
                            Source: astro-grep-setup.exe.docOLE document summary: author field not present or empty
                            Source: astro-grep-setup.exe.docOLE document summary: edited time not present or 0
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.............................B.................(.....
                            Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................H&!.....(.P.....................................................................................................
                            Source: C:\ProgramData\Memsys\ms.exeCommand line argument: shell32.dll
                            Source: C:\ProgramData\Memsys\ms.exeCommand line argument: ShellExecuteA
                            Source: C:\ProgramData\Memsys\ms.exeCommand line argument: RBIND
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\ProgramData\Memsys\ms.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: astro-grep-setup.exe.docVirustotal: Detection: 60%
                            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\ProgramData\Memsys\ms.exe C:\ProgramData\Memsys\ms.exe
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {E0184388-4CC0-4E79-AF38-011207705295} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
                            Source: C:\ProgramData\Memsys\ms.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: OK
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: I Agree
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Install
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                            Source: astro-grep-setup.exe.docStatic file information: File size 1446736 > 1048576
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe, 00000002.00000000.2386968747.0000000000B79000.00000002.00020000.sdmp
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmp

                            Data Obfuscation:

                            barindex
                            .NET source code contains potential unpackerShow sources
                            Source: ASTRO-GREP.EXE.2.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: astro-grep.exe.3.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 12.2.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 12.0.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 14.0.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 14.2.astro-grep.exe.190000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B76260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.2.drStatic PE information: real checksum: 0x0 should be: 0xea31c
                            Source: ms.exe.0.drStatic PE information: real checksum: 0x105a08 should be: 0x31c25
                            Source: astro-grep.exe.3.drStatic PE information: real checksum: 0x0 should be: 0xff1e
                            Source: AstroGrep.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x900c7
                            Source: ASTRO-GREP.EXE.2.drStatic PE information: real checksum: 0x0 should be: 0xff1e
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B74485 push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00927399 push es; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_0092711F push cs; iretd
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00922F81 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_0092710D push cs; iretd
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00924122 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00922A66 push 0000003Eh; retn 0000h
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_00197399 push es; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_0019711F push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_0019710D push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_00192F81 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_00194122 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 12_2_00192A66 push 0000003Eh; retn 0000h
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\System.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\LangDLL.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile created: C:\Users\user\AppData\Roaming\astro-grep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\ProgramData\Memsys\ms.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\StartMenu.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\ProgramData\Memsys\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsa2731.tmp\nsDialogs.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\ProgramData\Memsys\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\ProgramData\Memsys\ms.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior

                            Boot Survival:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Memsys\ms.exe, type: DROPPED
                            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrepJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\ProgramData\Memsys\ms.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Memsys\ms.exe, type: DROPPED
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                            Source: ASTRO-GREP.EXE, astro-grep.exeBinary or memory string: SBIEDLL.DLL
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\ProgramData\Memsys\ms.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 2984Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 2984Thread sleep time: -60000s >= -30000s
                            Source: C:\Windows\System32\taskeng.exe TID: 2500Thread sleep time: -60000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 2700Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 2576Thread sleep time: -45000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 1100Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEWMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00406033 FindFirstFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00402688 FindFirstFileA,
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: astro-grep.exeBinary or memory string: vmware
                            Source: ASTRO-GREP.EXE, 00000003.00000002.2441362969.000000000050C000.00000004.00000020.sdmpBinary or memory string: VMware_S
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000003.2477256410.00000000005D3000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information queried: ProcessInformation

                            Anti Debugging:

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_001D41B4 CheckRemoteDebuggerPresent,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess queried: DebugPort
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B73BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B76260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess token adjusted: Debug
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B74991 SetUnhandledExceptionFilter,
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B73BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B72701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEMemory allocated: page read and write | page guard
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\ProgramData\Memsys\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
                            Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                            Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                            Source: taskeng.exe, 0000000B.00000002.2652076256.0000000000870000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652227873.0000000000B60000.00000002.00000001.sdmpBinary or memory string: !Progman
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\Program Files (x86)\AstroGrep\AstroGrep.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\Program Files (x86)\AstroGrep\Uninstall.exe VolumeInformation
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation
                            Source: C:\ProgramData\Memsys\ms.exeCode function: 2_2_00B75173 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 4_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                            Lowering of HIPS / PFW / Operating System Security Settings:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: 12.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.astro-grep.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.920000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.24afcd8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b7f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.ms.exe.b70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.ms.exe.b7f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 2432, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2468, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Memsys\ms.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job2Extra Window Memory Injection1Disable or Modify Tools11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                            Default AccountsScripting421Registry Run Keys / Startup Folder1Access Token Manipulation1Scripting421LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain AccountsNative API1Logon Script (Windows)Process Injection12Obfuscated Files or Information111Security Account ManagerSystem Information Discovery27SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsExploitation for Client Execution33Logon Script (Mac)Scheduled Task/Job2Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsCommand and Scripting Interpreter3Network Logon ScriptRegistry Run Keys / Startup Folder1Extra Window Memory Injection1LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaScheduled Task/Job2Rc.commonRc.commonMasquerading2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion41DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 450275 Sample: astro-grep-setup.exe.doc Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for submitted file 2->63 65 Document exploit detected (drops PE files) 2->65 67 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->67 69 12 other signatures 2->69 9 WINWORD.EXE 19 32 2->9         started        13 taskeng.exe 1 2->13         started        process3 file4 49 C:\ProgramData\Memsys\ms.exe, PE32 9->49 dropped 77 Document exploit detected (creates forbidden files) 9->77 15 ms.exe 3 9->15         started        19 astro-grep.exe 12 2 13->19         started        signatures5 process6 dnsIp7 51 C:\Users\user\AppData\...\ASTRO-GREP.EXE, PE32 15->51 dropped 53 C:\Users\user\...\ASTROGREP_SETUP_V4.4.7.EXE, PE32 15->53 dropped 59 Antivirus detection for dropped file 15->59 61 Machine Learning detection for dropped file 15->61 22 ASTRO-GREP.EXE 6 15->22         started        26 ASTROGREP_SETUP_V4.4.7.EXE 12 46 15->26         started        55 185.195.232.251, 49166, 49167, 49168 ESAB-ASSE Sweden 19->55 57 pastebin.com 104.23.98.190, 443, 49165 CLOUDFLARENETUS United States 19->57 file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\astro-grep.exe, PE32 22->39 dropped 71 Antivirus detection for dropped file 22->71 73 Machine Learning detection for dropped file 22->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 22->75 28 cmd.exe 22->28         started        31 cmd.exe 22->31         started        41 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 26->41 dropped 43 C:\Users\user\AppData\Local\...\System.dll, PE32 26->43 dropped 45 C:\Users\user\AppData\Local\...\StartMenu.dll, PE32 26->45 dropped 47 8 other files (none is malicious) 26->47 dropped signatures12 process13 signatures14 79 Uses schtasks.exe or at.exe to add and modify task schedules 28->79 33 schtasks.exe 28->33         started        35 astro-grep.exe 2 31->35         started        37 timeout.exe 31->37         started        process15

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            astro-grep-setup.exe.doc60%VirustotalBrowse
                            astro-grep-setup.exe.doc100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%AviraTR/Dropper.Gen
                            C:\ProgramData\Memsys\ms.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%Joe Sandbox ML
                            C:\ProgramData\Memsys\ms.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%VirustotalBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%VirustotalBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe1%VirustotalBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe2%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe5%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe2%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%ReversingLabs

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            12.2.astro-grep.exe.190000.0.unpack100%AviraTR/Dropper.GenDownload File
                            14.0.astro-grep.exe.190000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.920000.0.unpack100%AviraTR/Dropper.GenDownload File
                            2.0.ms.exe.b8b130.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                            12.0.astro-grep.exe.190000.0.unpack100%AviraTR/Dropper.GenDownload File
                            2.2.ms.exe.b70000.0.unpack100%AviraTR/Dropper.GenDownload File
                            14.2.astro-grep.exe.190000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.0.ASTRO-GREP.EXE.920000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.24afcd8.1.unpack100%AviraHEUR/AGEN.1110362Download File
                            2.0.ms.exe.b70000.0.unpack100%AviraTR/Dropper.GenDownload File
                            2.2.ms.exe.b8b130.2.unpack100%AviraTR/Patched.Ren.GenDownload File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://ocsp.entrust.net030%URL Reputationsafe
                            http://ocsp.entrust.net030%URL Reputationsafe
                            http://ocsp.entrust.net030%URL Reputationsafe
                            http://ocsp.entrust.net030%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            https://pastebin.comP0%Avira URL Cloudsafe
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://www.icra.org/vocabulary/.0%URL Reputationsafe
                            http://www.icra.org/vocabulary/.0%URL Reputationsafe
                            http://www.icra.org/vocabulary/.0%URL Reputationsafe
                            http://www.icra.org/vocabulary/.0%URL Reputationsafe
                            http://www.%s.comPA0%URL Reputationsafe
                            http://www.%s.comPA0%URL Reputationsafe
                            http://www.%s.comPA0%URL Reputationsafe
                            http://www.%s.comPA0%URL Reputationsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            pastebin.com
                            		104.23.98.190
                            		truefalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.windows.com/pctv.ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpfalse
                                		high
                                http://investor.msn.comms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.msnbc.com/news/ticker.txtms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpfalse
                                    		high
                                    http://crl.entrust.net/server1.crl0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                      		high
                                      http://ocsp.entrust.net03astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://pastebin.com/rawastro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpfalse
                                        		high
                                        https://pastebin.com/raw/VTByvKGMASTRO-GREP.EXE, 00000003.00000002.2441616944.0000000002431000.00000004.00000001.sdmp, ASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652178883.0000000000750000.00000004.00000020.sdmp, astro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpfalse
                                          		high
                                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://nlog-project.org/ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpfalse
                                            		high
                                            http://www.diginotar.nl/cps/pkioverheid0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://pastebin.com/raw/VTByvKGMHDastro-grep.exe, 0000000C.00000002.2652446200.00000000024E6000.00000004.00000001.sdmpfalse
                                              		high
                                              https://pastebin.comPastro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://nsis.sf.net/NSIS_ErrorErrorASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpfalse
                                                		high
                                                http://windowsmedia.com/redir/services.asp?WMPFriendly=truems.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.hotmail.com/oems.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpfalse
                                                  		high
                                                  https://pastebin.com/raw/VTByvKGMHD9mPHD9m0HD9mASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.nuget.org/packages/NLog.Web.AspNetCoreASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477551190.0000000000409000.00000004.00020000.sdmpfalse
                                                      		high
                                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.icra.org/vocabulary/.ms.exe, 00000002.00000002.2395032215.0000000002927000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2479870233.0000000003377000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.ASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000000.2390480957.0000000000409000.00000008.00020000.sdmpfalse
                                                            		high
                                                            http://investor.msn.com/ms.exe, 00000002.00000002.2393092375.0000000002740000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.%s.comPAASTRO-GREP.EXE, 00000003.00000002.2442951671.0000000004ED0000.00000002.00000001.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000004.00000002.2477688132.0000000001E30000.00000002.00000001.sdmp, taskeng.exe, 0000000B.00000002.2652140631.0000000001C70000.00000002.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2653664387.0000000004DF0000.00000002.00000001.sdmp, astro-grep.exe, 0000000E.00000002.2504792179.0000000004F70000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://ocsp.entrust.net0Dastro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameASTRO-GREP.EXE, 00000003.00000002.2441734010.000000000248A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://secure.comodo.com/CPS0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://pastebin.comastro-grep.exe, 0000000C.00000002.2652361514.0000000002344000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://pastebin.comastro-grep.exe, 0000000C.00000002.2652418016.000000000245A000.00000004.00000001.sdmp, astro-grep.exe, 0000000C.00000002.2652322196.00000000022E1000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crl.entrust.net/2048ca.crl0astro-grep.exe, 0000000C.00000002.2653393043.0000000004877000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://pastebin.com/raw/VTByvKGMHD9mASTRO-GREP.EXE, 00000003.00000002.2441768863.00000000024C1000.00000004.00000001.sdmpfalse
                                                                          		high

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          185.195.232.251
                                                                          		unknownSweden
                                                                          		39351ESAB-ASSEfalse
                                                                          104.23.98.190
                                                                          		pastebin.comUnited States
                                                                          		13335CLOUDFLARENETUSfalse

                                                                          General Information

                                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                                          Analysis ID:450275
                                                                          Start date:17.07.2021
                                                                          Start time:21:39:14
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 15m 1s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:astro-grep-setup.exe.doc
                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:15
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • GSI enabled (VBA)
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.expl.evad.winDOC@20/36@1/2
                                                                          EGA Information:Failed
                                                                          HDC Information:
                                                                          • Successful, ratio: 48.5% (good quality ratio 41.8%)
                                                                          • Quality average: 72.3%
                                                                          • Quality standard deviation: 35.8%
                                                                          HCA Information:
                                                                          • Successful, ratio: 69%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .doc
                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                          • Found warning dialog
                                                                          • Click Ok
                                                                          • Found warning dialog
                                                                          • Click Ok
                                                                          • Found warning dialog
                                                                          • Click Ok
                                                                          • Attach to Office via COM
                                                                          • Scroll down
                                                                          • Close Viewer
                                                                          Warnings:
                                                                          Show All
                                                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                          • TCP Packets have been reduced to 100
                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          21:42:01API Interceptor9x Sleep call for process: ms.exe modified
                                                                          21:42:02API Interceptor342x Sleep call for process: ASTROGREP_SETUP_V4.4.7.EXE modified
                                                                          21:42:02API Interceptor213x Sleep call for process: ASTRO-GREP.EXE modified
                                                                          21:42:26API Interceptor2x Sleep call for process: schtasks.exe modified
                                                                          21:42:28Task SchedulerRun new task: astro-grep path: "C:\Users\user\AppData\Roaming\astro-grep.exe"
                                                                          21:42:28API Interceptor427x Sleep call for process: taskeng.exe modified
                                                                          21:42:29API Interceptor401x Sleep call for process: astro-grep.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          185.195.232.251SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                            104.23.98.190C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/npsqXhuQ
                                                                            uwoYazbVds.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/npsqXhuQ
                                                                            u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/BCAJ8TgJ
                                                                            EU441789083.docGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/BCAJ8TgJ
                                                                            b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            4av8Sn32by.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            22NO7gVJ7r.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            rE7DwszvrX.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0
                                                                            VjPHSJkwr6.exeGet hashmaliciousBrowse
                                                                            • pastebin.com/raw/XMKKNkb0

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            pastebin.comTIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            banload.msiGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            SecuriteInfo.com.Trojan.PackedNET.721.17987.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            6rg5Enu1ks.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            Loader.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            banload.msiGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            t3uss3bjUL.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            h3Y0CRAJyq.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            Order Request.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            4fy0Wb1EUX.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            CYzY9Pi2ny.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            42C75D53ACD263FF2B2DAD511E40E0E40E9A6119BAA68.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            Request For Quotation.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            Lr2Hm9rVac.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            XoN2GgRiga.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            vEJ2Mfxn6p.exeGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            7NBeM7iVOm.exeGet hashmaliciousBrowse
                                                                            • 104.23.98.190

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            CLOUDFLARENETUSglupteba.exeGet hashmaliciousBrowse
                                                                            • 104.21.63.250
                                                                            E2QIvDXi7H.exeGet hashmaliciousBrowse
                                                                            • 104.21.83.89
                                                                            JHECEQl1ML.exeGet hashmaliciousBrowse
                                                                            • 172.67.220.44
                                                                            UwvHsxxITi.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.209
                                                                            gVI2IrBzjJ.exeGet hashmaliciousBrowse
                                                                            • 172.67.201.250
                                                                            y54fD0dMcF.exeGet hashmaliciousBrowse
                                                                            • 104.21.87.184
                                                                            WR0MTpWkYC.exeGet hashmaliciousBrowse
                                                                            • 172.67.193.180
                                                                            LPY15536W4.exeGet hashmaliciousBrowse
                                                                            • 104.21.84.71
                                                                            SecuriteInfo.com.Trojan.Inject4.14369.15008.exeGet hashmaliciousBrowse
                                                                            • 162.159.134.233
                                                                            TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                            • 162.159.138.232
                                                                            7vLHRD4IdanbLrE.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            PTELOONB39-67.exeGet hashmaliciousBrowse
                                                                            • 172.67.215.158
                                                                            o2fAkrQ43w.exeGet hashmaliciousBrowse
                                                                            • 104.21.51.99
                                                                            ATT62725.HTMGet hashmaliciousBrowse
                                                                            • 104.18.11.207
                                                                            WAdStf9Llw.exeGet hashmaliciousBrowse
                                                                            • 104.21.51.99
                                                                            P.O 16.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            F6w8Ll8iWU.exeGet hashmaliciousBrowse
                                                                            • 162.159.133.233
                                                                            PCgYjH5fEn.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.209
                                                                            another.dllGet hashmaliciousBrowse
                                                                            • 104.20.185.68
                                                                            banload.msiGet hashmaliciousBrowse
                                                                            • 104.23.99.190
                                                                            ESAB-ASSETIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                            • 185.65.135.248
                                                                            NotificationApplicationspdf.exeGet hashmaliciousBrowse
                                                                            • 141.98.255.146
                                                                            SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                            • 185.65.135.248
                                                                            5icstaf5i1.exeGet hashmaliciousBrowse
                                                                            • 45.83.220.209
                                                                            aY5UWK4jxg.exeGet hashmaliciousBrowse
                                                                            • 45.83.220.209
                                                                            ewlD3Dwdxy.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.182
                                                                            byodInstCL.exeGet hashmaliciousBrowse
                                                                            • 193.32.127.38
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                            • 185.195.232.251
                                                                            PD0ssyK178.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            EpVgl7WUGD.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            tgv7RXFab7.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            7niXcdi1SU.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            9gee3iCc4N.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            l3eFnAYO6a.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            X97zFKQz4Q.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            jf1w8rsogr.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            s1G5ZwG3Yb.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            3ZhSP5SXgW.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            wvS1iVG3MK.exeGet hashmaliciousBrowse
                                                                            • 185.65.134.173
                                                                            S22NFM14.exeGet hashmaliciousBrowse
                                                                            • 185.65.135.254

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            05af1f5ca1b87cc9cc9b25185115607dOrder Request.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            product list.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            KV18RE001-A5193.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            ABS 1234 PO.docxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            REQUIREMENT-DWG-454888_2021.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            purchase order.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            lokibot.docxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            RFQ-21213.docxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            New Order 5678.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            RFQ 110739914MCH.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            6171557.docmGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            6171557.docmGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            Request For Quotation.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            nanomalware.docGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            ETL_5100006278946.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            01130100370.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            IMG_056029741000.xlsxGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            LL52387-01M4205301.xlsmGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            Outfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                            • 104.23.98.190
                                                                            LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                            • 104.23.98.190

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):7168
                                                                            Entropy (8bit):4.487949196682819
                                                                            Encrypted:false
                                                                            SSDEEP:96:+2x9scF3MzO5l+9B9Q6uyT4A3KXr7HazHJ/ylHj/V3ojWNta1FYcCe:5x938OYLsA3YgwN5RszYcCe
                                                                            MD5:A06B34EE8AD3B52CE1C76847FC7991A0
                                                                            SHA1:D52CBED52AD91E5D297E3F96D7AAA1476A42F087
                                                                            SHA-256:0822F460D448356DAE96963C1A56DA2553FE6BB6A859B1646D1A76DBC346F03C
                                                                            SHA-512:B4741046E83A89FBFB8848AC649E22D1773B54F5B6C96EE49057C12ADE502DE5594C706BAE140FEF864F3FB1A585A0F8D840C5369073561189C9665CD5FD2CD2
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.\.............................-... ...@....@.. ....................................@..................................,..S....@..P....................`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................-......H........"...............................................................0..T.........i.1M..i.0G..~.....r...p......(....&...r)..pr-..po........r)..pr-..po........(....*.0..........~....r/..p.o.....~....rO..p.o.....~....r...p.o......9q....9k....9e....99....r...po......r...po.......r...po.......93.....9,.....9%....r-..p.r...p(....o......r-..p.r...p(....o......r-..p.r...p(....o.....r...pr...p.(....o......r...pr...p.(....o......r...pr...p.(....o.....r...po........r...po........r.
                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe.config
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):175
                                                                            Entropy (8bit):5.022488547778473
                                                                            Encrypted:false
                                                                            SSDEEP:3:vFWWMNHU8LdgCQcIMOoT02VK/FlURAmIRMNHjFHr0lUfEyhTRRAoe+RAW4QIMOov:TMVBd1I002VKNa7VJdfEyFRRAoeuAW44
                                                                            MD5:57717DA46BD278CA043D8101847D8FF4
                                                                            SHA1:D93BAADBB3C644D841D7AA4E95DCD76F9897BD05
                                                                            SHA-256:12D08F2857A02B5A4EF5DF6EC2D840296AAC4C219704B2FB6F15A7571230A4C5
                                                                            SHA-512:A054A7FD69E4A643286212FEDABDE4BDFB36BBF3E7F9FC33524BA8DFECBC375E991C23B4E047F5F235A77E9D6A525F996934A4A993B61E1FE7D84066FF972DF1
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>...</startup>..</configuration>..
                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):9216
                                                                            Entropy (8bit):4.660156886149009
                                                                            Encrypted:false
                                                                            SSDEEP:192:MPL93AfzEbqrlLH945OKtueaQJ6BLcSEeC137:MsEbyHGscu3DdkxL
                                                                            MD5:2F2899673ABB136BFC8B92A6D3BAFF33
                                                                            SHA1:5BE14D5C58AF9F78858DD5E9ED6CD929F87AC0B4
                                                                            SHA-256:0E7A71232FB6676777A823ADDB4776BD895ABBE29EA2487110073BD0C5FF6AA6
                                                                            SHA-512:CF5B23F4E5417DDC4AB5A354E7EA90C5CCE28133DE7D1AE260F0879E474727DBB73E47C9CB92A98BD5B6F6EBCFC67CD955423FA1615A0D7C24783415325200CA
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!.................9... ...@....... ....................................@..................................9..K....@.......................`......H8............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......@$...............................................................(....,.(....o....(....*..(....~....(....*...0..........(....r...p(.........(....r...p(.........~....~....r...p(....(.........~....~....r...p(....(.........(....o....(.........(....o....(.........*..(....*..{....*"..}....*..{....*"..}....*^~....-.s.........~....*..0...........(....s.....s......r1..p.o.....~....}......{....(....o.....~....(....o.....r;..p(....o .... ..P.jo!.....o".....o#...r...p~$....s%...
                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):573440
                                                                            Entropy (8bit):6.183835631467389
                                                                            Encrypted:false
                                                                            SSDEEP:12288:uibf6/zxXrXyhwSl9LndCXlhqNWvgVYODH9zG5X1LeihaBQSa:ifEWOYODH9zoX1Le/
                                                                            MD5:202C965DE1291E773F7DAE0C495253FB
                                                                            SHA1:13EB40E5DF525388D7A2AD18B1720FED78C5EE13
                                                                            SHA-256:3138155ABD6A9BADDB63869CD34BF0492718929E910CB4F38BC1767507932B4F
                                                                            SHA-512:97445E848DA86876AB324B9C6EC2D27F51BE753ABF1956A79829763F92363B9B7C05A232F876C97A66653109505BAE94BB2B85B53E6F9697698EF8EA2FD21F7A
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                                                            • Antivirus: Metadefender, Detection: 2%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\.................0...........E... ...`....... ....................................@..................................E..W....`...i........................................................................... ............... ..H............text....&... ...0.................. ..`.rsrc....i...`...p...@..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe.config
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):237
                                                                            Entropy (8bit):4.960108368394514
                                                                            Encrypted:false
                                                                            SSDEEP:6:TMV0kIffVKNC7VJdfEyFRRAopuAlKNjSt+gP9XWRM5W4QIT:TMG13VOcr6U9wNutJP9UMo4xT
                                                                            MD5:502C63E84CACC88FA782EEC1772EFF68
                                                                            SHA1:BA6138741633C60D1C92C7C25DDE15D378C0C324
                                                                            SHA-256:FE3405C9535DCE3857908E6740099227B7D55CF78A15676D440E781E04EA17BD
                                                                            SHA-512:EBA2DD5216BB3293BB3101A5CDADDEF0B4A94577159A8A0654F712F9939F1D03FF670DA6DF0B5F4475D593EDDF330E76E2F6EB19B19E3E51C2EA53A74ACC59B3
                                                                            Malicious:false
                                                                            Preview: <?xml version="1.0"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>.. </startup>.... <runtime>.. <gcAllowVeryLargeObjects enabled="true" />.. </runtime>..</configuration>
                                                                            C:\Program Files (x86)\AstroGrep\AstroGrep_256x256.png
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                            Category:dropped
                                                                            Size (bytes):6813
                                                                            Entropy (8bit):7.898680227457462
                                                                            Encrypted:false
                                                                            SSDEEP:192:djkp/iNmEYXGtZEV2QWEgFmPPqlqCSKG1Ief:hmiNmTP733q+XR
                                                                            MD5:2143826EABE773D3206333B65C2FC67B
                                                                            SHA1:B75806940C971C2BB8584E1028EFA512F8AA5646
                                                                            SHA-256:8A50671F22D64A0131C9FFE23B3777862172F6D5C63B48C94DFE0FE8E8D62D06
                                                                            SHA-512:3D0611BEE13D6A397D5FB3F2E924829360596891DBCFDE1EC0FCE25F2DDEE62D50A10ABA31827334FE12867C508694BB8FB3F72604FC08A1CD323C2615C2F3FF
                                                                            Malicious:false
                                                                            Preview: .PNG........IHDR.............\r.f....sRGB.........gAMA......a.....pHYs...3...3.\.......tEXtSoftware.paint.net 4.0.5e.2e....IDATx^.=.]Uv.)......Gr1.........<....K...((((\X.........<.'r...f...I..D@.`.3a&.B.C...``.0~o......y...{...?.K......Z.....u..mS8.~.W..c..i.4x..M\J\....v..S...s.=....1....!U.S.Ri...w...N.3....>......2..,...2.T6...J3.).../.....*......{........xN....`.i.m._.j.E*.fap.'.K`./.Mp...xc...,.z...F...Ri.....<.x.....qOW2..6..L......UWfX...8....t...[..t...*{Y7.....4.E*....9hw...|.t..s.R......=..."`.....T...v.o..W=.y.|......4Y.......H.Y.8&.....|w...~.X...X....-.bH...8...^.]...~.....y....'%-.T.........^.2..k.9.%.&Y....w..D*.4p....>_=.7>l.n2.<..1...4w.3%......G....M...epL....T.I.s4....x.n.i.f=...V.?.6......e.,.$......).n.q..Q..-#.-....W:I8L.W.M.-...+.h..l.8...si.r.S...N..........!.b......hk.N|..P>..RY;h...7.......9wBzH.J.He...../.F'..7]..o.|.V..F........1A..}.....@c.....%^.gf.....~..T.....|1...:f^.W.;O*...,.4.......E...}...k.#.%
                                                                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):626688
                                                                            Entropy (8bit):6.014937851800105
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Oo7n6u1n5vp9yRUmqtM0yRrl0pjoeUy8b01vKbZ/gAGl0gUEdYC:OoLDnwmW0yRr88bwKKdf
                                                                            MD5:B4D5D46E50006E87B30E7D514E95173C
                                                                            SHA1:BD3BA298EB7E4CDBFDF29E3992BE7D32A4E792EB
                                                                            SHA-256:058F38F33F3F99F904AB9588447A234346C859718404B4E8A523673ED19CDBE7
                                                                            SHA-512:38FF7CADA6CFA56AF812A1D859AAC4FB8B94DF50454A9FECC55E4FDB159339F6BA885D0B57FE8C522227DD9280CDA0CA21C6A073B6552923FA33F6E77D8F3BC5
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.Y...........!.....`... ......~.... ........@.. ..............................).....@.................................,...O.......8............................}............................................... ............... ..H............text...._... ...`.................. ..`.rsrc...8............p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Program Files (x86)\AstroGrep\NLog.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):784384
                                                                            Entropy (8bit):6.017097344038701
                                                                            Encrypted:false
                                                                            SSDEEP:12288:/n77J/zrlPjThZdvTU585ZqmjlJzAF7GVj8TcpkMcaQD3SaB5mUsQ:/n77J/zrlPjThZdv55ZbIF7GVje4kRD5
                                                                            MD5:063D7646038B3676CA4BBCCF8CD9736C
                                                                            SHA1:DE90082E366938A3D1BB16A9B5BBB4D692F620D4
                                                                            SHA-256:F809128B8E35F20A0407F9642AEFA1A64D2B5494F024F5EC403B712C67441ECD
                                                                            SHA-512:BB50F12A9B5DE65752B7AFDDF82726A82BB06DF8B6B16712385663981DA810189FA9B72FA45122B3C57719D9EB626BB5D1D90B29D833851A4AA08E35B6FDB923
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#............." ..0.................. ... ....... .......................`......0.....@.................................3...O.... .......................@......d...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................g.......H............L..........4..............................................."..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(X...~....,.~.....oY......+...(......oZ......,..([....*........../7......"..(....*6.(.....(S...*..0..........(.......o\...&.*.(....o]...*2(.....oY...*....0..?.......~..........(X...~....,.~.....oY...+...(.....o^...&...,..([....*.........,4.......0..?.......~..........(X...~....,.~....o_......+...(....o`......,..([..
                                                                            C:\Program Files (x86)\AstroGrep\Uninstall.exe
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):61854
                                                                            Entropy (8bit):6.589895956298641
                                                                            Encrypted:false
                                                                            SSDEEP:1536:Gw4fpS/nScizHM74N0DIDidcfgdLeAyN9jWtNixGl:Gw4gnScG4DI2dcfceAkWrixq
                                                                            MD5:15BDDE25A8A23AAFB0E593D4A1F145B6
                                                                            SHA1:250EC8FEA74A2EAC9A1BD3DA1ABF5AC91D1962D7
                                                                            SHA-256:4118177FBD02533C449D3D02168300DA1D5B24052B10877A3B4BC03E27C5C375
                                                                            SHA-512:3AFB05064722B5616EA74BC8C8E6C50D6EB8F1125AC333339430D05FAE89E445753E45DD5FDCA17E9BE9A94BCA67B3E2B31EEB52DAF2AF3BEC47D0A1EC1ABD03
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 5%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Program Files (x86)\AstroGrep\astrogrep.VisualElementsManifest.xml
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):303
                                                                            Entropy (8bit):5.268121017723893
                                                                            Encrypted:false
                                                                            SSDEEP:6:ejHyWc4subuVFWod/NDhkQwYnF4kQwYWadTZ/FhYWadTZ/FeXXKhdNc0SDSFQ:ebvyWW/meZsR1sR8drDGQ
                                                                            MD5:824E6132D30D647AED6E9EE3C2DA12C9
                                                                            SHA1:DCBE8CAB6784AA26BC9A4F0DC5B60D9733A49F74
                                                                            SHA-256:01BF1A694FAF44953B592D1C237D3F93C1B8B346476C30E638C1FAAD0201386B
                                                                            SHA-512:DABC61D48723B53C95EE7BBDDB92261E724054CDCE4F9616B0338CACE8F8A9667CAC087C131D8A83BEE68875436F08F9A313F70EA5B85A46989D2B21C84F0541
                                                                            Malicious:false
                                                                            Preview: <Application xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>.. <VisualElements.. ShowNameOnSquare150x150Logo='on'.. Square150x150Logo='AstroGrep_256x256.png'.. Square70x70Logo='AstroGrep_256x256.png'.. ForegroundText='light'.. BackgroundColor='#fb7f06'/>..</Application>
                                                                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):237568
                                                                            Entropy (8bit):5.286872988422086
                                                                            Encrypted:false
                                                                            SSDEEP:3072:1QwCS0adLYzS+L5VsbeNcg2IZOz3eJJ9oA3fGu51O+q4gbPaYgVXLRn/qR8H6K69:1QwCAdLy/mucxIUKPOufGu5m4fr
                                                                            MD5:6E3AFEF0BD6B7EC03007CCDD76F85447
                                                                            SHA1:8B434EAB09D948FAC57E98F312C8B24381873374
                                                                            SHA-256:B268CDA0D5F431E0CB86FFF8A39420AC03DFC9C498CAE702F859904B79307EDE
                                                                            SHA-512:E10EC66C764584AD80D47C1B0CF64B61EBBE3B4E72D2CA05BCDAB5B62F4E3F6FE17A1C37EED9D87A678B8C3D42E6534DE9EE95BF204CA815426EA28935633894
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!................n.... ........... ....................................@.....................................S................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...........X...........................................................^~....-.s.........~....*...}..... .I..}.....(......{....s....}.....s....}....*6.{.....o....*v.{.....o....,..{.....o....*.*r.{.....o....,..{.....o....&*..0...........{.....o....,(.{......o.....{.....o....&.{.....o....&*.{......o.....{....o.....{....1'.{.....{....o....o ...o!...&.{....o"....{.....o....&*..0...........(.....(#...o$...r...p.{....o.....o...+.s&.....o'...o(...-..o'...o).....s*......s+....s,....
                                                                            C:\Program Files (x86)\AstroGrep\license.txt
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):18330
                                                                            Entropy (8bit):4.736471809051081
                                                                            Encrypted:false
                                                                            SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDTj:lzuVLiY+rTZo0sDTj
                                                                            MD5:1324A1677693CF2A399CC9424C756CC3
                                                                            SHA1:2F29E68AB545965C401A12CE4783F7314E658AF3
                                                                            SHA-256:A4BD518E7F66B63A62035C0C542B5F3287BAF7138E13A0F6A30781D8730D766A
                                                                            SHA-512:2FD47275325B3605A9B982704BABFAD72D5AF3048064C66554F00F4D4D264DF252697F1D52733F6C87FBB3927A9FDD48ACF94B2E9475FD52334EFA12EA9F0B5A
                                                                            Malicious:false
                                                                            Preview: .. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi
                                                                            C:\Program Files (x86)\AstroGrep\readme.txt
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1834
                                                                            Entropy (8bit):4.931632926415765
                                                                            Encrypted:false
                                                                            SSDEEP:24:CGEEY1zF17X+B41FcMEEn+0MJ/cIr3EQZ1WrT5M5tmZNijpibbCT32yvosGQC:tYFFN+B41eM2UvQL0T1Fzy/GZ
                                                                            MD5:ABE9A78B3FD8ECD7409C2B382820134E
                                                                            SHA1:9AEC458EA30060EE633BD25D235C02AAEFF989D1
                                                                            SHA-256:B17BBDB71C888116A8661B373CA088C9B174E00551DF81B887EE9BCA28492189
                                                                            SHA-512:0F554B3BA4749B22728D303B7AC1BD7596CCAE5A51D0F06560AA829222DD5DFF31F089C2D5894A23D97093836A76595EA5BAA4441EAC4DF44C321F14CD554A3D
                                                                            Malicious:false
                                                                            Preview: .Changelog for AstroGrep v4.4.7..===================================================================..Bugs..-85: Possible issue with word plugin and leaving winword.exe process open...-98: Error "the string was not recognized as a valid DateTime"..-100: Performance issues..-101: Searching Multiple MS Word Documents..-102: Context Lines Display Discrepancy..-103: Astrogrep 4.4.6 hangs clicking on found file..-104: commandline spath not accepting multiple searchPath..-108: Used ListSeparator on right mouse "Copy all"..-109: Command Line issues - Check logic and docs..-113: Feature 108 is not working (Add additional text editor parameter for search text)....Featured Requests:..-101: Stopped painting status bar as often..-110: Exclude directories that do not match pattern (added not equals option for path based options)..-119: Added line hit count to count column values (format: total / line in current Count column)..-122: Add option to only show x chars before/.after matched text..-12
                                                                            C:\ProgramData\Memsys\ms.exe
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):174144
                                                                            Entropy (8bit):6.491457088878327
                                                                            Encrypted:false
                                                                            SSDEEP:3072:tMSncRzAOjuCDTA2G2dBOItczBbyjGUOx2w4gnScG4DI2dcP456WN3cahj:uSncRljuCfzd3tczBb7292+MN3cKj
                                                                            MD5:2BD7A81D9DC6F3D44FD977580271C1F1
                                                                            SHA1:A698930115AD68DDC1471C0F66EDB1E6F913B468
                                                                            SHA-256:43DEC507E474ECA562BE1D6329A842ECD8A7A68E8EF0BA2E3EB8033C1CF18CEA
                                                                            SHA-512:7494DB34B4E2E2D6A4F92E22DDCD2CAEB296A27BF6E5544CB29C99ABDA51DB9B52676DDDA39ED44B570E9A7816C65F1976F40008BECCE5FA4F8B341B0722ABBE
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\ProgramData\Memsys\ms.exe, Author: Florian Roth
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Memsys\ms.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N.................z..........H2............@..................................Z....@.....................................<........x...................p......`...............................H...@...............$............................text...Bx.......z.................. ..`.rdata...1.......2...~..............@..@.data...............................@....rsrc....x.......z..................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnk
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 4 19:57:44 2019, mtime=Sun Jul 18 03:42:39 2021, atime=Thu Apr 4 19:57:44 2019, length=573440, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):1037
                                                                            Entropy (8bit):4.527784755515661
                                                                            Encrypted:false
                                                                            SSDEEP:24:8mQ50FJcdOEv+ZYF/iVgcN6OUA1Ly5Sdfmvdfv8U53qod7y:8mDidO/+/GrN6Oj1Ly5SdfmvdfvpAoxy
                                                                            MD5:D50C2DC45DA94A42EB3519FFB9ECDFB5
                                                                            SHA1:EF70BADE52AE9C1DE9B21EAE6E73958C62D26A81
                                                                            SHA-256:37D91F7E68DC5F1C9ECA21659628748A6F6EF525E5B8C383DD56F4E86440A8C5
                                                                            SHA-512:FF649AE63C9E45182C710CA38230C8E3ADAFEA489939051C8A53C591AC8D0BD763509FA84F64AFDA0233BB13588BEBC9E5AE0F34F9CD6F9611B84DB6F9854470
                                                                            Malicious:false
                                                                            Preview: L..................F.... .......)......V.{......)................................P.O. .:i.....+00.../C:\.....................1......RT%..PROGRA~2..|.......:...RT%*...................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....X.1......RU%..ASTROG~1..@.......RT%.RU%*...Y.....................A.s.t.r.o.G.r.e.p.....d.2......N6. .ASTROG~1.EXE..H......N6..RT%*....'....................A.s.t.r.o.G.r.e.p...e.x.e.......]...............-.......\...........ah.H.....C:\Program Files (x86)\AstroGrep\AstroGrep.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.A.s.t.r.o.G.r.e.p...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9M.C...........
                                                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnk
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 18 03:42:40 2021, mtime=Sun Jul 18 03:42:40 2021, atime=Sun Jul 18 03:42:40 2021, length=61854, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):1037
                                                                            Entropy (8bit):4.53537478019611
                                                                            Encrypted:false
                                                                            SSDEEP:24:8mTJcdOEv+ZYF/8lcafUA1LMdfOhgdfv8U53qoi7n:8mTidO/+/8+afj1LMdfOhgdfvpAoIn
                                                                            MD5:C36F8465E6054E0FCCF8AA35BF1EB274
                                                                            SHA1:623D0C3FE44A45160A6323052813DF2E41AE8950
                                                                            SHA-256:6BC551B7116E1F41183A6A1F1AB103C4202E0F5317F15AFF6D99BE41CB406E7C
                                                                            SHA-512:CBD28E78DC0E1011A462651C852812FFADCC9E2390D940992CBDA4146E12DC76082023498422F2ECD297738BB1CFF825275C1AA1A9C6087FA59394D9C6F6D0ED
                                                                            Malicious:false
                                                                            Preview: L..................F.... ....%.W.{...%.W.{...%.W.{...............................P.O. .:i.....+00.../C:\.....................1......RT%..PROGRA~2..|.......:...RT%*...................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....X.1......RU%..ASTROG~1..@.......RT%.RU%*...Y.....................A.s.t.r.o.G.r.e.p.....d.2......RU% .UNINST~1.EXE..H.......RU%.RU%*.........................U.n.i.n.s.t.a.l.l...e.x.e.......]...............-.......\...........ah.H.....C:\Program Files (x86)\AstroGrep\Uninstall.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.U.n.i.n.s.t.a.l.l...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9N.C...........
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78FF0AD.png
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:PNG image data, 1024 x 768, 8-bit/color RGBA, non-interlaced
                                                                            Category:dropped
                                                                            Size (bytes):297570
                                                                            Entropy (8bit):7.987371833942709
                                                                            Encrypted:false
                                                                            SSDEEP:6144:wM9q9mzZATahSx65T341zP0LFDPV1W0ilwn8/aaT2J/3Qw9t69Im1J3G:1q90ZATahIMPLVKwCm/3QwKTu
                                                                            MD5:59AC9BE84B9A41DC7BA9B4CC0DC0B2BE
                                                                            SHA1:2F3958FC9B12179EF4003D215D6B609C4B387C95
                                                                            SHA-256:B094944CDD0D7F55FF67CAC98C150C59F67D27A60E661CF403C21D3E22CA4C50
                                                                            SHA-512:7FE0BD9AD21A3201F2A056802BE55C48251DA44D66B8D50D1843E47C25C1C92D272827EF2C26D3EBEF187F215BF07F9C71433FFC68FF0E2A0A9E609E05E7C348
                                                                            Malicious:false
                                                                            Preview: .PNG........IHDR.....................bKGD..............pHYs.................tIME......1(.p.....iTXtComment.....Created with GIMPd.e... .IDATx...y`.g}7..3..,.lY.$.....9..$%$...B8J.@.........@K.i)....H.B........q|.G,...[.{g.y..se.......A.......X.....#...DDDDDDDtJSx.......... """""""&..........."""""""b........... """""""&..........."""""""b..........."""""""b........... """""""&..........."""""""b........... """""""&.......... """""""&..........."""""""b........... """""""&..........."""""""b..........."""""""b........... """""""&..........."""""""b........... """""""&..........."""""""&..........."""""""b........... """""""&..........."""""""b........... """"""b........... """""""&..........."""""""b........... """""""&..........."""""""&..........."""""""b........... """""""&..........."""""""b........... """""""&.......... """""""&..........."""""""b........... """""""&..........."""""""b..........."""""""b........... """""""&..........."""""""b........... """""""&.......... """
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5BCB44D4-31CD-44E2-A821-3408DFB7CA1A}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1024
                                                                            Entropy (8bit):0.1215386864328073
                                                                            Encrypted:false
                                                                            SSDEEP:3:JlXll/lGNWtWlxlG:ANyiC
                                                                            MD5:6D00E84E5EDAA43E119EA03CE5ECAA4F
                                                                            SHA1:9FA7D5D09FED0A7C1F8392022EAAA24B66F4E77B
                                                                            SHA-256:957DA89085D8855135307E641A71C5EA2284BE478C115D7A6C3E9C095E83D407
                                                                            SHA-512:9DD9AD771F98A2AA72A238FCFE2F34AE181059A55A214A0B3EF7238916E9494B7BE5510DF0884B1CB1D357578E27F0E9B13F5CB7A1002E4583DBF428D3BBA0BE
                                                                            Malicious:false
                                                                            Preview: D...D.d.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8DB8CC3B-9141-43B7-951A-41190F623D30}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4273664
                                                                            Entropy (8bit):2.9934039252196754
                                                                            Encrypted:false
                                                                            SSDEEP:3072:asEquQFSZO2fZBlq5KsmqL15nSLK42srUUNoBbTTShbliRWMTwHh2ABRSDxnj/gH:G
                                                                            MD5:204EB5AEA47FB729502B517C7FEEF002
                                                                            SHA1:8AFE0FC7C7C994683ECE60B4E97325A96E5D66A0
                                                                            SHA-256:6A83F0B564303E74D593CB04D9845BE911367173011C27DD1A23771004C3E43B
                                                                            SHA-512:3458DDB5F132361EF9F919BD2FB8E1490ACF911090E7B8B3DE623821CA4058EA36E8FDAB03D3C8F1D5649CF26C230CC098DDCB190AFFA77C06335FB5F2041928
                                                                            Malicious:false
                                                                            Preview: ../......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ..."...$...&...(...*...,.......0...2.......................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{90768F62-679A-419C-A2B1-C0B28319F5E4}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1024
                                                                            Entropy (8bit):0.05390218305374581
                                                                            Encrypted:false
                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                            Malicious:false
                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FBF58E38-2270-4D70-A99C-79301888F689}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1536
                                                                            Entropy (8bit):1.357318797251612
                                                                            Encrypted:false
                                                                            SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb5:IiiiiiiiiifdLloZQc8++lsJe1MzG
                                                                            MD5:725A361F060B89059A926A98B5426871
                                                                            SHA1:3F5DF773068BB7382415782D3A0C4A8B1E7666D5
                                                                            SHA-256:A0F0BE63E9A1345B9D5FC8BBD74FF0CF238B1C56BACED75257F606F5EDAE3360
                                                                            SHA-512:2888DBF1D2341A033F691050C8A8204BB1C849894433DD3AA5C4CF41F8F74B04229560B4BC465082C9E312A0963D86F4971B5B1CCCED279CFCAECAA407E8F0E4
                                                                            Malicious:false
                                                                            Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                            Process:C:\ProgramData\Memsys\ms.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):48640
                                                                            Entropy (8bit):5.561770945961325
                                                                            Encrypted:false
                                                                            SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                            MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                            SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                            SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                            SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                            C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            Process:C:\ProgramData\Memsys\ms.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):950654
                                                                            Entropy (8bit):7.974042856320811
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2MhCG3sDOdqnRrLVvjD9puJ7li2OLUC0Dc/rP0flxwg:AG3sJpRvjhU7I2OLZD/LUr7
                                                                            MD5:A708211241313FEAF9621E571631534D
                                                                            SHA1:9F398E0CC5B2B5162D5F27A6653709F836D02998
                                                                            SHA-256:5C4FAEBE335FEE04B25B10AA2A0E580571388BDE2CC09E133C72D9D01BC09423
                                                                            SHA-512:8E2FA5F33E16879D8F5ACB4AB783AA4B4B37266CD1346ABEF5D54F2DFEB2177AF872575780E2E7CD02E462349B1C35642C0F7BA3F860034775A064E9A07B08AF
                                                                            Malicious:false
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\msoB754.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:GIF image data, version 89a, 15 x 15
                                                                            Category:dropped
                                                                            Size (bytes):663
                                                                            Entropy (8bit):5.949125862393289
                                                                            Encrypted:false
                                                                            SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                            MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                            SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                            SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                            SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                            Malicious:false
                                                                            Preview: GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
                                                                            C:\Users\user\AppData\Local\Temp\nsa2731.tmp\LangDLL.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5632
                                                                            Entropy (8bit):3.936685359308878
                                                                            Encrypted:false
                                                                            SSDEEP:48:im1qsjq8W2MPUptuMMFvx/om/ycNSCwVGfOY0vB6/JvR0Jvof5d2D:F1iBl91Z7/ycNSCwV8TLZR0gd2
                                                                            MD5:91D5E21907E4BAFF0145339311ABF9D9
                                                                            SHA1:F867D8529D4F3704CD4F475B46699B66CB6C2002
                                                                            SHA-256:ACDE373CC4916BE5DF3D239AB67F5980C333E979F34965EE733E7C6259586E9B
                                                                            SHA-512:339E35B89F2AC7D2FBE9DFD9A55279D20463F7C298332810C0EBAA5DE95E09657F4B2837904AE16A8743C4C7ABF7F3C7581099BC94312C178A21783288790401
                                                                            Malicious:false
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.}.}.}.e.....z.)........|....|.Rich}.........PE..L....z.W...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...h........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\nsa2731.tmp\StartMenu.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):7680
                                                                            Entropy (8bit):4.616039420427882
                                                                            Encrypted:false
                                                                            SSDEEP:96:HgiqVPb3X8K8Kdr3gEq6nNdMk6Qiw290+q6LDtJ1tU3hhEl7y:HgiqVPgK8K9eIdE9B/tMhg7
                                                                            MD5:9CE20025DEF637F7BE257FA96D25ED05
                                                                            SHA1:CFEE47F72804FFACD06C2254A5F8DCF47373F9D4
                                                                            SHA-256:4B17C914DC40EBA477B653715F07CE9ED9B2EF4A1264A1DAFD624EB289474243
                                                                            SHA-512:AFCE99F1BD803E1B744E33302BA2C85C1122487F2BDF006CA433FE93DB2778A6D68D239D927CE7149443F411A12A4FAC2195D6D01AEC4071C71B8F332C96BDFB
                                                                            Malicious:false
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(...(...(..<'...(.......(..8....(.......(..Rich.(..........................PE..L....z.W...........!........."............... ...............................p.......................................$..e.... ..x....P..(....................`..t.................................................... ...............................text............................... ..`.rdata..U.... ......................@..@.data........0......................@....rsrc...(....P......................@..@.reloc..8....`......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\nsa2731.tmp\System.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11264
                                                                            Entropy (8bit):5.770824470205811
                                                                            Encrypted:false
                                                                            SSDEEP:192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn
                                                                            MD5:B8992E497D57001DDF100F9C397FCEF5
                                                                            SHA1:E26DDF101A2EC5027975D2909306457C6F61CFBD
                                                                            SHA-256:98BCD1DD88642F4DD36A300C76EBB1DDFBBBC5BFC7E3B6D7435DC6D6E030C13B
                                                                            SHA-512:8823B1904DCCFAF031068102CB1DEF7958A057F49FF369F0E061F1B4DB2090021AA620BB8442A2A6AC9355BB74EE54371DC2599C20DC723755A46EDE81533A3C
                                                                            Malicious:false
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....z.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\nsa2731.tmp\modern-wizard.bmp
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4
                                                                            Category:dropped
                                                                            Size (bytes):52988
                                                                            Entropy (8bit):1.9568109962493656
                                                                            Encrypted:false
                                                                            SSDEEP:48:Qoi47a5G8SddzKFIcsOz3XMoi47a5G8SddzKFIcsOz3Xz:QonoGNd03IonoGNd03/
                                                                            MD5:E39731A71ED38499AC6B8E51E8E58E34
                                                                            SHA1:F2820C783906CD4F06040B6850856D426519CE15
                                                                            SHA-256:A94EF9A36E53192F26D5118F0232B6D7F70943B3CF5A7DF6340A139A226D207B
                                                                            SHA-512:F807ED5BE0297462777A82B79D1AAC35CB4FF5FA54DE4D446050A8BB08677488072685A982BFF5A900823C5727196C05EF29B3EEB6ABCD17171C0EF7C3765270
                                                                            Malicious:false
                                                                            Preview: BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                                                            C:\Users\user\AppData\Local\Temp\nsa2731.tmp\nsDialogs.dll
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):9728
                                                                            Entropy (8bit):5.066422293646434
                                                                            Encrypted:false
                                                                            SSDEEP:96:oU2qZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4HpqndYHnxss:oU2q+CP3uKrpyREs06YxqodGn
                                                                            MD5:70D4C5F9ACC5DDF934B73FA311ADE7D8
                                                                            SHA1:6962E84782B0E1FE798CDCE1D7447211228CA85B
                                                                            SHA-256:02869B76936E3C3102BB36E34B41BC989770BF81DCA09F31C561BB6BE52285EE
                                                                            SHA-512:40189B463173CBBAD9C5101F37B4A37D970E9CD8E6F3D343CB8E54C54BDC7FDC3CFA8D7D7E7B7B0241C68768607C523BE2C2C21B7EFC727257731E1C5D1673FC
                                                                            Malicious:false
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....z.W...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):154
                                                                            Entropy (8bit):5.06434100410945
                                                                            Encrypted:false
                                                                            SSDEEP:3:mKDDCMNqTtvL5oXp4EaKC50XVASmqRDXp4E2J5xAInTRI8TRAVZPy:hWKqTtT6PaZ50lbmq1P23fTddAVk
                                                                            MD5:71BD5BD91EBB91A939E0AB0D6560D28C
                                                                            SHA1:79CB69D678C58EF3122EC81443DB4D38AF084106
                                                                            SHA-256:227660DC691F3F47674D8F2DBCC48DF47B90F59D3E44092285999F170B9C1BFB
                                                                            SHA-512:F73C85CABA1A8719B35C3691833A8F2A609177461AB600323F87D1E8B234426F2FD32E2CC44876D642369AE5814A8F5C978EFE150D32A2EB434D911BBD2EA543
                                                                            Malicious:false
                                                                            Preview: @echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\astro-grep.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp3E29.tmp.bat" /f /q..
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\astro-grep-setup.exe.LNK
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Sun Jul 18 03:39:30 2021, length=1443117, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):2128
                                                                            Entropy (8bit):4.541182450687829
                                                                            Encrypted:false
                                                                            SSDEEP:48:8i/XT3Ikt31S733oQh2i/XT3Ikt31S733oQ/:8i/XLIkt8noQh2i/XLIkt8noQ/
                                                                            MD5:5AD95C6B24A9E0814C973A7DD0152BCB
                                                                            SHA1:2D64590D05D4F190A646F9FAF93029097ACE7FD9
                                                                            SHA-256:C5DACC366D0349956C96DBE0661C0ACA8403D721A62AECB7A77C51E2FC5A6655
                                                                            SHA-512:6A960C8EA7646BCF890511D851FCC47D3B4AC76EEC06DEF2B1F6C3D0F450410EC16FB78D006F554DDD74325BF2CB242AFC99D1EF14213D0CCD8DC0E5CBE895C0
                                                                            Malicious:false
                                                                            Preview: L..................F.... ...8N/..{..8N/..{...t..{..-............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.-....R.$ .ASTRO-~1.DOC..^.......Q.y.Q.y*...8.....................a.s.t.r.o.-.g.r.e.p.-.s.e.t.u.p...e.x.e...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\astro-grep-setup.exe.doc./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.s.t.r.o.-.g.r.e.p.-.s.e.t.u.p...e.x.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_..
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):98
                                                                            Entropy (8bit):4.352453630060136
                                                                            Encrypted:false
                                                                            SSDEEP:3:M1ZXOXPAkup2cWMXPAkup2mX1ZXOXPAkup2v:MGfAkefAknfAkd
                                                                            MD5:FD515263006BC00A3695B759289A747D
                                                                            SHA1:7CFDEC2A9BC2784996AC6D9DC6A0E0DEBD95E289
                                                                            SHA-256:E7834A7517ACADC1A45332C2B9BDF1024E0B4830370ED8B9CCB3AD77FA3B7F7A
                                                                            SHA-512:0ACDE3E772B32919F76188A0B8BDCF216DCC9B356D481E1DAE417C18DB4E361493B15FC0A4A9323020E508A71081C491DF5DC4EF76C25AB6089237688678DF26
                                                                            Malicious:false
                                                                            Preview: [doc]..astro-grep-setup.exe.LNK=0..astro-grep-setup.exe.LNK=0..[doc]..astro-grep-setup.exe.LNK=0..
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):162
                                                                            Entropy (8bit):2.4311600611816426
                                                                            Encrypted:false
                                                                            SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                                                                            MD5:390880DCFAA790037FA37F50A7080387
                                                                            SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                                                                            SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                                                                            SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                                                                            Malicious:false
                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                            C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                            Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):48640
                                                                            Entropy (8bit):5.561770945961325
                                                                            Encrypted:false
                                                                            SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                            MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                            SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                            SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                            SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                            C:\Users\user\Desktop\~$tro-grep-setup.exe.doc
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):162
                                                                            Entropy (8bit):2.4311600611816426
                                                                            Encrypted:false
                                                                            SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                                                                            MD5:390880DCFAA790037FA37F50A7080387
                                                                            SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                                                                            SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                                                                            SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                                                                            Malicious:false
                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                            \Device\Null
                                                                            Process:C:\Windows\SysWOW64\timeout.exe
                                                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.41440934524794
                                                                            Encrypted:false
                                                                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                            Malicious:false
                                                                            Preview: ..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                            Static File Info

                                                                            General

                                                                            File type:Microsoft OOXML
                                                                            Entropy (8bit):7.994288640917192
                                                                            TrID:
                                                                            • Word Microsoft Office Open XML Format document with Macro (52004/1) 86.67%
                                                                            • ZIP compressed archive (8000/1) 13.33%
                                                                            File name:astro-grep-setup.exe.doc
                                                                            File size:1446736
                                                                            MD5:9c3d3679ea84ff9bf67bf8c7aa2afc48
                                                                            SHA1:0470d616e8918ef03098741bf7fb0b313bb8aaea
                                                                            SHA256:2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
                                                                            SHA512:6896ad9abbbaa7760825d40086270f649a82a1291798173764e20deb7a5ef7a2f4070e247f27210f77341d70b6ed7215fa72a1711210610b428fcce39006af53
                                                                            SSDEEP:24576:gbi5q1lXj0di8tpgg/d3EVxW5Y62ddfMqKFIqlzFOQ1Yq8X2LcDLN:gbi5q1lXPupgU8Wy62dJVhqUYYq8X2s
                                                                            File Content Preview:PK..........!.................[Content_Types].xml.UKo.1..W.?.|.b...B....#T"H\g...._.'i...'..B...^V............6.....Wr**.:../k.u.q.^T...`..Zl1......b.1W....+..A..W. ...s.....kZ.......N............n.......?..4...f..H..b.F.qYm|+]...3........&...E.....b.|g.g

                                                                            File Icon

                                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                                            Static OLE Info

                                                                            General

                                                                            Document Type:OpenXML
                                                                            Number of OLE Files:1

                                                                            OLE File "/opt/package/joesandbox/database/analysis/450275/sample/astro-grep-setup.exe.doc"

                                                                            Indicators

                                                                            Has Summary Info:False
                                                                            Application Name:unknown
                                                                            Encrypted Document:False
                                                                            Contains Word Document Stream:
                                                                            Contains Workbook/Book Stream:
                                                                            Contains PowerPoint Document Stream:
                                                                            Contains Visio Document Stream:
                                                                            Contains ObjectPool Stream:
                                                                            Flash Objects Count:
                                                                            Contains VBA Macros:True

                                                                            Streams with VBA

                                                                            VBA File Name: NewMacros.bas, Stream Size: 29186
                                                                            General
                                                                            Stream Path:VBA/NewMacros
                                                                            VBA File Name:NewMacros.bas
                                                                            Stream Size:29186
                                                                            Data ASCII:. . . . . . . . . . * . . . . . . ( . . . . . . . . + . . . V . . . . . . . . . . . . . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                            Data Raw:01 16 01 00 06 f0 00 00 00 ec 2a 00 00 d4 00 00 00 28 02 00 00 ff ff ff ff e5 2b 00 00 f1 56 00 00 01 00 00 00 01 00 00 00 12 aa c2 6d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                            VBA Code Keywords

                                                                            Keyword
                                                                            Const
                                                                            Binary
                                                                            ActiveDocument.Paragraphs
                                                                            BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
                                                                            RemoveParagraph()
                                                                            Byte,
                                                                            Shits
                                                                            sss(sString
                                                                            vbLf,
                                                                            Public
                                                                            bOut(lOutSize)
                                                                            ReDim
                                                                            bIn()
                                                                            vbUnicode)
                                                                            String
                                                                            Long,
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask
                                                                            Shell(vbHH,
                                                                            lOutSize
                                                                            Explicit
                                                                            Left$(sOut,
                                                                            ChDir
                                                                            AddSpace()
                                                                            OOO.deletefolder
                                                                            RemoveParagraph
                                                                            vbNullString)
                                                                            bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
                                                                            Select
                                                                            String)
                                                                            vbCr,
                                                                            bOut(lOutSize
                                                                            StrConv(bOut,
                                                                            "==")
                                                                            iPad)
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask
                                                                            Option
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask
                                                                            bOut((((UBound(bIn)
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask
                                                                            pppppppppppppppppppppppppp
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask)
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask
                                                                            Replace(sString,
                                                                            Wipedir(pppppppppppppppppppppppppp
                                                                            bTrans(mnAjUYt
                                                                            bTrans(mnAjUYt)
                                                                            lLen)
                                                                            vbDirectory))
                                                                            Workbook_Open()
                                                                            Len(sString)
                                                                            ((UBound(bIn)
                                                                            AutoOpen()
                                                                            bTrans(lTrip
                                                                            mnAjUYt
                                                                            StrConv(sString,
                                                                            Integer,
                                                                            ((mnAjUYt
                                                                            MkDir
                                                                            LBound(bIn)
                                                                            OOO.folderexists(pppppppppppppppppppppppppp)
                                                                            lTrip
                                                                            Integer
                                                                            Len(sOut)
                                                                            OBsGG
                                                                            While
                                                                            ChDrive
                                                                            bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
                                                                            Attribute
                                                                            bTrans(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
                                                                            Close
                                                                            sString
                                                                            Shits(vbHH
                                                                            VB_Name
                                                                            UBound(bIn)
                                                                            Function
                                                                            Paragraph
                                                                            AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                            Boolean
                                                                            vbFromUnicode)
                                                                            bOut()
                                                                            InStrRev(sString,
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask
                                                                            DoEvents
                                                                            "NewMacros"
                                                                            ElseIf
                                                                            HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask
                                                                            String(iPad,
                                                                            lQuad
                                                                            AddSpace
                                                                            Private
                                                                            bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                            FreeFile()
                                                                            Wipedir
                                                                            Else:
                                                                            VBA Code
                                                                            VBA File Name: ThisDocument.cls, Stream Size: 1308
                                                                            General
                                                                            Stream Path:VBA/ThisDocument
                                                                            VBA File Name:ThisDocument.cls
                                                                            Stream Size:1308
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . < . . . % . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( < X f . H . . : . 6 . \\ . W . . . . t H . . s . f R . _ . . . . . . . . . . . . . . . . . . . . P 1 . . . . , @ . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                            Data Raw:01 16 01 00 01 00 01 00 00 1e 04 00 00 e4 00 00 00 ea 01 00 00 3c 04 00 00 25 04 00 00 79 04 00 00 00 00 00 00 01 00 00 00 12 aa 83 bb 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 85 e1 28 3c 58 66 9a 48 ab 05 3a ee 36 a4 5c c5 57 a2 20 e0 2e 9b 74 48 9e e8 73 c7 66 52 1d 5f 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                            VBA Code Keywords

                                                                            Keyword
                                                                            False
                                                                            VB_Exposed
                                                                            Attribute
                                                                            VB_Creatable
                                                                            VB_Name
                                                                            VB_PredeclaredId
                                                                            VB_GlobalNameSpace
                                                                            VB_Base
                                                                            VB_Customizable
                                                                            VB_TemplateDerived
                                                                            "ThisDocument"
                                                                            VBA Code

                                                                            Streams

                                                                            Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 424
                                                                            General
                                                                            Stream Path:PROJECT
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Stream Size:424
                                                                            Entropy:5.41291700674
                                                                            Base64 Encoded:True
                                                                            Data ASCII:I D = " { F F C D 0 B 4 A - 2 7 4 B - 4 9 B 5 - A A 6 5 - 3 4 5 7 7 F 8 B 9 A 0 C } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E E E C E 3 1 7 3 F E B 2 9 E F 2 9 E F 2 9 E F 2 9 E F " . . D P B = " D C D E D 1 0 5 5 1 F 2 5 2 F 2 5 2 F 2 " . . G C = " C A C 8 C 7 3 B B 4 3 C B 4 3 C 4 B " . . . .
                                                                            Data Raw:49 44 3d 22 7b 46 46 43 44 30 42 34 41 2d 32 37 34 42 2d 34 39 42 35 2d 41 41 36 35 2d 33 34 35 37 37 46 38 42 39 41 30 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
                                                                            Stream Path: PROJECTwm, File Type: data, Stream Size: 71
                                                                            General
                                                                            Stream Path:PROJECTwm
                                                                            File Type:data
                                                                            Stream Size:71
                                                                            Entropy:3.34859995248
                                                                            Base64 Encoded:False
                                                                            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
                                                                            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
                                                                            Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 11163
                                                                            General
                                                                            Stream Path:VBA/_VBA_PROJECT
                                                                            File Type:data
                                                                            Stream Size:11163
                                                                            Entropy:5.63595965668
                                                                            Base64 Encoded:True
                                                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 6 . \\ .
                                                                            Data Raw:cc 61 85 00 00 01 00 ff 15 04 00 00 09 04 00 00 e2 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 28 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                            Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 8028
                                                                            General
                                                                            Stream Path:VBA/__SRP_0
                                                                            File Type:data
                                                                            Stream Size:8028
                                                                            Entropy:4.00391409187
                                                                            Base64 Encoded:False
                                                                            Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . g D . S ~ . ^ . 3 . . . . . . . .
                                                                            Data Raw:93 4b 2a 85 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 de 07 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00
                                                                            Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 168
                                                                            General
                                                                            Stream Path:VBA/__SRP_1
                                                                            File Type:data
                                                                            Stream Size:168
                                                                            Entropy:3.45905494445
                                                                            Base64 Encoded:False
                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s S t r i n g . . . . . . . . b . . . . . . . . p p p p p p p p p p p p p p p p p p p p p p p p p p . . . . . . . . v b H H . . . . . . . . o _ _ _ _ _ _ X X 1 6 0 4 1 1 1 8 0 5 0 ] . . . . . . .
                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 09 00 00 00 00 00 03 00 02 00 00 08 07 00 00 00 73 53 74 72 69 6e 67 01 00 00 08 01 00 00 00 62 07 00 00 08 1a 00 00 00 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 02 00 00 08 04 00 00 00
                                                                            Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5828
                                                                            General
                                                                            Stream Path:VBA/__SRP_2
                                                                            File Type:data
                                                                            Stream Size:5828
                                                                            Entropy:4.71236123935
                                                                            Base64 Encoded:False
                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . & . . . . . . a . . . . . . . ! . . . . . . . . . . . . . . . i . . . . . . . Y . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 , . . . . . . . . . . . .
                                                                            Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 0b 00 0b 00 2c 00 00 00 d1 00 00 00 00 00 02 00 49 01 00 00 00 00 02 00 09 08 00 00 00 00 00 00 a9 00 00 00 00 00 02 00 09 0c 00 00 00 00 00 00 01 19 00 00 00 00 00 00 81 0a 00 00 00 00 00 00 01 1d 00 00 00 00
                                                                            Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 560
                                                                            General
                                                                            Stream Path:VBA/__SRP_3
                                                                            File Type:data
                                                                            Stream Size:560
                                                                            Entropy:2.34416861003
                                                                            Base64 Encoded:False
                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . 0 ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . 0 $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . 0 ( . ! . . . . . . . . . . ` . . . . . . . . . . . . . . .
                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 02 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 00 00 00 00 10 30 28 00 a9 00 00 00 00 00 02 00 01 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00
                                                                            Stream Path: VBA/dir, File Type: data, Stream Size: 579
                                                                            General
                                                                            Stream Path:VBA/dir
                                                                            File Type:data
                                                                            Stream Size:579
                                                                            Entropy:6.33932303857
                                                                            Base64 Encoded:True
                                                                            Data ASCII:. ? . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . } J ! Y $ . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . I ! Y .
                                                                            Data Raw:01 3f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e2 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 7d 4a 21 59 24 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jul 17, 2021 21:43:22.937797070 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:22.979221106 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:22.979372978 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.030906916 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.072232008 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.080873966 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.080923080 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.080955982 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.081120014 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.095165014 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.136511087 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.136955023 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.344347000 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.385757923 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:23.385946035 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.802284002 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:23.844379902 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:24.150795937 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:24.150859118 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:24.150995970 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:24.159529924 CEST4916657667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:24.211431980 CEST5766749166185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:24.717339039 CEST4916657667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:24.769429922 CEST5766749166185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:25.263387918 CEST4916657667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:25.315313101 CEST5766749166185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:30.319852114 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:30.361310959 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:30.403760910 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:30.403804064 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:30.403997898 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:30.404824972 CEST4916757667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:30.456526041 CEST5766749167185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:30.957859993 CEST4916757667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:31.009634972 CEST5766749167185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:31.519514084 CEST4916757667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:31.571357965 CEST5766749167185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:36.711966038 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:36.755567074 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:36.767221928 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:36.767251968 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:36.767441988 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:36.856431007 CEST4916857667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:36.908551931 CEST5766749168185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:37.494915962 CEST4916857667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:37.547566891 CEST5766749168185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:38.087739944 CEST4916857667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:38.139662027 CEST5766749168185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:43.174946070 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:43.227200985 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:43.227236032 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:43.227401972 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:43.229460955 CEST4916957667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:43.281467915 CEST5766749169185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:43.782243967 CEST4916957667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:43.835005045 CEST5766749169185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:44.344006062 CEST4916957667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:44.395854950 CEST5766749169185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:49.400815010 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:49.460067987 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:49.460108995 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:49.460268021 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:49.462605953 CEST4917057667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:49.514323950 CEST5766749170185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:50.085216045 CEST4917057667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:50.137279034 CEST5766749170185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:50.646930933 CEST4917057667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:50.700400114 CEST5766749170185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:55.835741043 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:55.888169050 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:55.888216972 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:43:55.888462067 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:43:55.893640041 CEST4917157667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:55.946841002 CEST5766749171185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:56.497380018 CEST4917157667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:56.550071955 CEST5766749171185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:43:57.090270996 CEST4917157667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:43:57.143826962 CEST5766749171185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:02.147339106 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:44:02.203875065 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:44:02.203919888 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:44:02.204125881 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:44:02.206224918 CEST4917257667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:02.258479118 CEST5766749172185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:02.769176006 CEST4917257667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:02.821069002 CEST5766749172185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:03.330764055 CEST4917257667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:03.384084940 CEST5766749172185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:08.386791945 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:44:08.436944962 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:44:08.436992884 CEST44349165104.23.98.190192.168.2.22
                                                                            Jul 17, 2021 21:44:08.437083006 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:44:08.438076019 CEST4917357667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:08.489752054 CEST5766749173185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:09.009720087 CEST4917357667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:09.061578989 CEST5766749173185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:09.571460962 CEST4917357667192.168.2.22185.195.232.251
                                                                            Jul 17, 2021 21:44:09.623500109 CEST5766749173185.195.232.251192.168.2.22
                                                                            Jul 17, 2021 21:44:15.260936975 CEST49165443192.168.2.22104.23.98.190
                                                                            Jul 17, 2021 21:44:15.315519094 CEST44349165104.23.98.190192.168.2.22

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jul 17, 2021 21:43:22.421515942 CEST5219753192.168.2.228.8.8.8
                                                                            Jul 17, 2021 21:43:22.482573986 CEST53521978.8.8.8192.168.2.22

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Jul 17, 2021 21:43:22.421515942 CEST192.168.2.228.8.8.80x919cStandard query (0)pastebin.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Jul 17, 2021 21:43:22.482573986 CEST8.8.8.8192.168.2.220x919cNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                            Jul 17, 2021 21:43:22.482573986 CEST8.8.8.8192.168.2.220x919cNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

                                                                            HTTPS Packets

                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                            Jul 17, 2021 21:43:23.080955982 CEST104.23.98.190443192.168.2.2249165CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 17 02:00:00 CEST 2021 Mon Jan 27 13:46:39 CET 2020Sun Jul 17 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: WINWORD.EXE PID: 2788 Parent PID: 584

                                                                            General

                                                                            Start time:21:39:30
                                                                            Start date:17/07/2021
                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            Wow64 process (32bit):false
                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                            Imagebase:0x13ff90000
                                                                            File size:1424032 bytes
                                                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: ms.exe PID: 1260 Parent PID: 2788

                                                                            General

                                                                            Start time:21:42:00
                                                                            Start date:17/07/2021
                                                                            Path:C:\ProgramData\Memsys\ms.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\ProgramData\Memsys\ms.exe
                                                                            Imagebase:0xb70000
                                                                            File size:1068032 bytes
                                                                            MD5 hash:DBBB611DAF3ABD47972AE4FAF5D54C95
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2391184390.0000000000B7F000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.2386988323.0000000000B7F000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: C:\ProgramData\Memsys\ms.exe, Author: Florian Roth
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Memsys\ms.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low

                                                                            Analysis Process: ASTRO-GREP.EXE PID: 2432 Parent PID: 1260

                                                                            General

                                                                            Start time:21:42:01
                                                                            Start date:17/07/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                                                                            Imagebase:0x920000
                                                                            File size:48640 bytes
                                                                            MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.2441547401.0000000000922000.00000020.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.2389222840.0000000000922000.00000020.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.2441758985.00000000024AF000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low

                                                                            Analysis Process: ASTROGREP_SETUP_V4.4.7.EXE PID: 2328 Parent PID: 1260

                                                                            General

                                                                            Start time:21:42:02
                                                                            Start date:17/07/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                                                                            Imagebase:0x400000
                                                                            File size:950654 bytes
                                                                            MD5 hash:A708211241313FEAF9621E571631534D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low

                                                                            Analysis Process: cmd.exe PID: 1784 Parent PID: 2432

                                                                            General

                                                                            Start time:21:42:25
                                                                            Start date:17/07/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                                                                            Imagebase:0x4a680000
                                                                            File size:302592 bytes
                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: cmd.exe PID: 1068 Parent PID: 2432

                                                                            General

                                                                            Start time:21:42:25
                                                                            Start date:17/07/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp3E29.tmp.bat''
                                                                            Imagebase:0x4a680000
                                                                            File size:302592 bytes
                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: schtasks.exe PID: 2220 Parent PID: 1784

                                                                            General

                                                                            Start time:21:42:26
                                                                            Start date:17/07/2021
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                                                                            Imagebase:0x9f0000
                                                                            File size:179712 bytes
                                                                            MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: timeout.exe PID: 2288 Parent PID: 1068

                                                                            General

                                                                            Start time:21:42:26
                                                                            Start date:17/07/2021
                                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:timeout 3
                                                                            Imagebase:0x270000
                                                                            File size:27136 bytes
                                                                            MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Analysis Process: taskeng.exe PID: 2320 Parent PID: 860

                                                                            General

                                                                            Start time:21:42:28
                                                                            Start date:17/07/2021
                                                                            Path:C:\Windows\System32\taskeng.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:taskeng.exe {E0184388-4CC0-4E79-AF38-011207705295} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                            Imagebase:0xfff50000
                                                                            File size:464384 bytes
                                                                            MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Analysis Process: astro-grep.exe PID: 2468 Parent PID: 2320

                                                                            General

                                                                            Start time:21:42:28
                                                                            Start date:17/07/2021
                                                                            Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                            Imagebase:0x190000
                                                                            File size:48640 bytes
                                                                            MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000000.2447425472.0000000000192000.00000020.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.2652015747.0000000000192000.00000020.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low

                                                                            Analysis Process: astro-grep.exe PID: 1428 Parent PID: 1068

                                                                            General

                                                                            Start time:21:42:30
                                                                            Start date:17/07/2021
                                                                            Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Roaming\astro-grep.exe'
                                                                            Imagebase:0x190000
                                                                            File size:48640 bytes
                                                                            MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.2450569517.0000000000192000.00000020.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.2501813179.0000000000192000.00000020.00020000.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >