Windows Analysis Report ms.bin

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: ms.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: ms.exe

Virustotal: Detection: 78%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ms.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.astro-grep.exe.430000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.astro-grep.exe.770000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.0.ms.exe.a30000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.0.astro-grep.exe.430000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.0.ms.exe.a4b130.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.astro-grep.exe.770000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.ms.exe.a4b130.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.ms.exe.a30000.1.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: ms.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\readme.txt			Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ms.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
Source:	Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
Source:	Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
Source:	Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
Source:	Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
Source:	Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_00406033 FindFirstFileA,FindClose,		5_2_00406033
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		5_2_004055D1
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_00402688 FindFirstFileA,		5_2_00402688

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

Networking:

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 185.195.232.251:57667

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.232.251

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: pastebin.com

URLs found in memory or binary data

Source: AstroGrep.exe.5.dr	String found in binary or memory: http://astrogrep.sourceforge.net
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://astrogrep.sourceforge.net/Ihttp://www.gnu.org/copyleft/gpl.html
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://astrogrep.sourceforge.net/download/
Source: AstroGrep.Common.dll.5.dr	String found in binary or memory: http://astrogrep.sourceforge.net/version.htmlUhttp://astrogrep.sourceforge.net/download/Whttps://sou
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://downloads.sourceforge.net/astrogrep/
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://downloads.sourceforge.net/astrogrep/readme.txt
Source: ICSharpCode.AvalonEdit.dll.5.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
Source: ICSharpCode.AvalonEdit.dll.5.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
Source: ICSharpCode.AvalonEdit.dll.5.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
Source: ICSharpCode.AvalonEdit.dll.5.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
Source: ICSharpCode.AvalonEdit.dll.5.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/3
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/5
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: NLog.dll.5.dr	String found in binary or memory: http://nlog-project.org/ws/T
Source: ASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ms.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000003.256251943.000000000074E000.00000004.00000001.sdmp, ms.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com
Source: astro-grep.exe	String found in binary or memory: http://schemas.microsof
Source: NLog.dll.5.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ASTRO-GREP.EXE, 00000003.00000002.250692664.0000000002A34000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: AstroGrep.exe.5.dr	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html#SEC3
Source: NLog.dll.5.dr	String found in binary or memory: https://nlog-project.org/
Source: astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/VTByvKGM
Source: astro-grep.exe, 0000000D.00000002.462183818.0000000002B36000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com43l
Source: astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462336171.0000000002C73000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462353763.0000000002C96000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462305606.0000000002C51000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.comD83l
Source: astro-grep.exe, 0000000D.00000002.462235560.0000000002B82000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.comD83lh;
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: ms.exe, type: SAMPLE
Source: Yara match	File source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00405086

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040310F

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F28148		3_2_00F28148
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F2B258		3_2_00F2B258
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F2E5B0		3_2_00F2E5B0
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F27878		3_2_00F27878
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F27130		3_2_00F27130
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_004048C5		5_2_004048C5
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_004064CB		5_2_004064CB
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_00406CA2		5_2_00406CA2
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00EA8148		13_2_00EA8148
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00EAE5B0		13_2_00EAE5B0
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00EA7878		13_2_00EA7878
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00EA7130		13_2_00EA7130
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00EACD60		13_2_00EACD60

PE file contains executable resources (Code or Archives)

Source: ms.exe	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: ms.exe	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: ms.exe	Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

PE file contains strange resources

Source: ms.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ms.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ms.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASTROGREP_SETUP_V4.4.7.EXE.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASTROGREP_SETUP_V4.4.7.EXE.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASTROGREP_SETUP_V4.4.7.EXE.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AstroGrep.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: ms.exe, 00000001.00000002.200160111.0000000002430000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ms.exe
Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ms.exe
Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ms.exe
Source: ms.exe	Binary or memory string: OriginalFilenameStub.exe" vs ms.exe
Source: ms.exe	Binary or memory string: OriginalFilenameAstroGrep_Setup_v4.4.7.exe@ vs ms.exe

Uses 32bit PE files

Source: ms.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: ms.exe, type: SAMPLE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541

.NET source code contains long base64-encoded strings

Source: ASTRO-GREP.EXE.1.dr, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: astro-grep.exe.3.dr, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 13.2.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 13.0.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 17.2.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 17.0.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs	Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0

.NET source code contains many API calls related to security

Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Binary contains paths to development resources

Source: ICSharpCode.AvalonEdit.dll.5.dr	Binary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
Source: ICSharpCode.AvalonEdit.dll.5.dr	Binary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
Source: ICSharpCode.AvalonEdit.dll.5.dr	Binary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec

Classification label

Source: classification engine

Classification label: mal52.troj.evad.winEXE@19/26@1/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040310F

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_00404352

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_0040205E CoCreateInstance,MultiByteToWideChar,

5_2_0040205E

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\ms.exe

Code function: 1_2_00A310C0 _memset,OutputDebugStringA,FindResourceA,CreateFileA,SizeofResource,LoadResource,LockResource,WriteFile,FindCloseChangeNotification,ShellExecuteA,

1_2_00A310C0

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

File created: C:\Program Files (x86)\AstroGrep

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

File created: C:\Users\user\AppData\Roaming\astro-grep.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3820:120:WilError_01
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:784:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\ms.exe

File created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Jump to behavior

Executes batch files

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''

Might use command line arguments

Source: C:\Users\user\Desktop\ms.exe	Command line argument: shell32.dll		1_2_00A31320
Source: C:\Users\user\Desktop\ms.exe	Command line argument: ShellExecuteA		1_2_00A31320
Source: C:\Users\user\Desktop\ms.exe	Command line argument: RBIND		1_2_00A31320

PE file has an executable .text section and no other executable section

Source: ms.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\ms.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\ms.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: ms.exe

Virustotal: Detection: 78%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\ms.exe 'C:\Users\user\Desktop\ms.exe'
Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'			Jump to behavior
Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\ms.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Window detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L

Submission file is bigger than most known malware samples

Source: ms.exe

Static file information: File size 1068032 > 1048576

PE file contains a mix of data directories often seen in goodware

Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ms.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ms.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: ms.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
Source:	Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
Source:	Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
Source:	Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
Source:	Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
Source:	Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
Source:	Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr

PE file contains a valid data directory to section mapping

Source: ms.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ms.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ms.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ms.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ms.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Source: ASTRO-GREP.EXE.1.dr, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: astro-grep.exe.3.dr, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.2.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.0.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs	.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ms.exe

Code function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00A36260

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ms.exe	Code function: 1_2_00A34485 push ecx; ret		1_2_00A34498
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F711F push cs; iretd		3_2_005F7202
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F7399 push es; ret		3_2_005F7608
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F710D push cs; iretd		3_2_005F7202
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F2F81 push eax; ret		3_2_005F2F95
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F2A66 push 0000003Eh; retn 0000h		3_2_005F2DC0
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_005F4122 push eax; ret		3_2_005F412C
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Code function: 3_2_00F2BE10 pushfd ; retf		3_2_00F2BE49
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00772A66 push 0000003Eh; retn 0000h		13_2_00772DC0
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00774122 push eax; ret		13_2_0077412C
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_0077711F push cs; iretd		13_2_00777202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00777399 push es; ret		13_2_00777608
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_00772F81 push eax; ret		13_2_00772F95
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 13_2_0077710D push cs; iretd		13_2_00777202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_00432F81 push eax; ret		17_2_00432F95
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_0043710D push cs; iretd		17_2_00437202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_00437399 push es; ret		17_2_00437608
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_0043711F push cs; iretd		17_2_00437202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_00434122 push eax; ret		17_2_0043412C
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Code function: 17_2_00432A66 push 0000003Eh; retn 0000h		17_2_00432DC0

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\nsDialogs.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\StartMenu.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ms.exe	File created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File created: C:\Users\user\AppData\Roaming\astro-grep.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\NLog.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\libAstroGrep.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ms.exe	File created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\Uninstall.exe			Jump to dropped file

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\Program Files (x86)\AstroGrep\readme.txt			Jump to behavior

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: ms.exe, type: SAMPLE
Source: Yara match	File source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\ms.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\ms.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AsyncRAT

Source: Yara match	File source: ms.exe, type: SAMPLE
Source: Yara match	File source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: astro-grep.exe, ms.exe

Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\NLog.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\libAstroGrep.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\Uninstall.exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 6128	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4840	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4920	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_00406033 FindFirstFileA,FindClose,		5_2_00406033
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		5_2_004055D1
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Code function: 5_2_00402688 FindFirstFileA,		5_2_00402688

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ms.exe	Binary or memory string: vmware
Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: astro-grep.exe, 0000000D.00000002.465070597.00000000050B0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Code function: 3_2_00F2BC64 CheckRemoteDebuggerPresent,

3_2_00F2BC64

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ms.exe

Code function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00A33BEC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ms.exe

Code function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00A36260

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\ms.exe	Code function: 1_2_00A34991 SetUnhandledExceptionFilter,		1_2_00A34991
Source: C:\Users\user\Desktop\ms.exe	Code function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00A33BEC
Source: C:\Users\user\Desktop\ms.exe	Code function: 1_2_00A32701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00A32701

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'			Jump to behavior
Source: C:\Users\user\Desktop\ms.exe	Process created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Queries volume information: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe	Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\ms.exe

Code function: 1_2_00A35173 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00A35173

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE

Code function: 5_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

5_2_00405D51

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: ms.exe, type: SAMPLE
Source: Yara match	File source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
Source: Yara match	File source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
Source: Yara match	File source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED