Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ms.bin

Overview

General Information

Sample Name:ms.bin (renamed file extension from bin to exe)
Analysis ID:450276
MD5:dbbb611daf3abd47972ae4faf5d54c95
SHA1:1b33772f2acc9e6673a2922587b00db86f5fba01
SHA256:d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
Tags:Asyncexe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ms.exe (PID: 4156 cmdline: 'C:\Users\user\Desktop\ms.exe' MD5: DBBB611DAF3ABD47972AE4FAF5D54C95)
    • ASTRO-GREP.EXE (PID: 5416 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
      • cmd.exe (PID: 912 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5996 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 3352 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 1364 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • astro-grep.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Roaming\astro-grep.exe' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
    • ASTROGREP_SETUP_V4.4.7.EXE (PID: 3728 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE' MD5: A708211241313FEAF9621E571631534D)
  • astro-grep.exe (PID: 748 cmdline: C:\Users\user\AppData\Roaming\astro-grep.exe MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ms.exeMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0xa0a8:$x4: C:\Users\DarkCoderSc\
  • 0xa0c5:$x5: Celesty Binder\Stub\STATIC\Stub.pdb
ms.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\astro-grep.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 7 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  17.2.astro-grep.exe.430000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    3.0.ASTRO-GREP.EXE.5f0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      1.2.ms.exe.a3f330.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        13.2.astro-grep.exe.770000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          3.2.ASTRO-GREP.EXE.5f0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                            Click to see the 11 entries

                            Sigma Overview

                            System Summary:

                            barindex
                            Sigma detected: Regsvr32 AnomalyShow sources
                            Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, NewProcessName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, OriginalFileName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, ParentCommandLine: 'C:\Users\user\Desktop\ms.exe' , ParentImage: C:\Users\user\Desktop\ms.exe, ParentProcessId: 4156, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , ProcessId: 5416

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus / Scanner detection for submitted sampleShow sources
                            Source: ms.exeAvira: detected
                            Antivirus detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: ms.exeVirustotal: Detection: 78%Perma Link
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: ms.exeJoe Sandbox ML: detected
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 17.2.astro-grep.exe.430000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 13.2.astro-grep.exe.770000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.0.ms.exe.a30000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 17.0.astro-grep.exe.430000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.0.ms.exe.a4b130.2.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: 13.0.astro-grep.exe.770000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.2.ms.exe.a4b130.3.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: 1.2.ms.exe.a30000.1.unpackAvira: Label: TR/Dropper.Gen
                            Source: ms.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior
                            Source: ms.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
                            Source: Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406033 FindFirstFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00402688 FindFirstFileA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

                            Networking:

                            barindex
                            Connects to a pastebin service (likely for C&C)Show sources
                            Source: unknownDNS query: name: pastebin.com
                            Source: global trafficTCP traffic: 192.168.2.3:49728 -> 185.195.232.251:57667
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownDNS traffic detected: queries for: pastebin.com
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net/Ihttp://www.gnu.org/copyleft/gpl.html
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net/download/
                            Source: AstroGrep.Common.dll.5.drString found in binary or memory: http://astrogrep.sourceforge.net/version.htmlUhttp://astrogrep.sourceforge.net/download/Whttps://sou
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://downloads.sourceforge.net/astrogrep/
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://downloads.sourceforge.net/astrogrep/readme.txt
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/dummynamespace/
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/3
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/5
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/T
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ms.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000003.256251943.000000000074E000.00000004.00000001.sdmp, ms.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
                            Source: astro-grep.exeString found in binary or memory: http://schemas.microsof
                            Source: NLog.dll.5.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: ASTRO-GREP.EXE, 00000003.00000002.250692664.0000000002A34000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://www.gnu.org/copyleft/gpl.html
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://www.gnu.org/copyleft/gpl.html#SEC3
                            Source: NLog.dll.5.drString found in binary or memory: https://nlog-project.org/
                            Source: astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
                            Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw
                            Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGM
                            Source: astro-grep.exe, 0000000D.00000002.462183818.0000000002B36000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com43l
                            Source: astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462336171.0000000002C73000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462353763.0000000002C96000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462305606.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD83l
                            Source: astro-grep.exe, 0000000D.00000002.462235560.0000000002B82000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD83lh;
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.drString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

                            Key, Mouse, Clipboard, Microphone and Screen Capturing:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                            System Summary:

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F28148
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2B258
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2E5B0
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F27878
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F27130
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004048C5
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004064CB
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406CA2
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA8148
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EAE5B0
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA7878
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA7130
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EACD60
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: AstroGrep.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exe, 00000001.00000002.200160111.0000000002430000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ms.exe
                            Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ms.exe
                            Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ms.exe
                            Source: ms.exeBinary or memory string: OriginalFilenameStub.exe" vs ms.exe
                            Source: ms.exeBinary or memory string: OriginalFilenameAstroGrep_Setup_v4.4.7.exe@ vs ms.exe
                            Source: ms.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: ms.exe, type: SAMPLEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: ASTRO-GREP.EXE.1.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: astro-grep.exe.3.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 13.2.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 13.0.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 17.2.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 17.0.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec
                            Source: classification engineClassification label: mal52.troj.evad.winEXE@19/26@1/2
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040205E CoCreateInstance,MultiByteToWideChar,
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A310C0 _memset,OutputDebugStringA,FindResourceA,CreateFileA,SizeofResource,LoadResource,LockResource,WriteFile,FindCloseChangeNotification,ShellExecuteA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrepJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile created: C:\Users\user\AppData\Roaming\astro-grep.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3820:120:WilError_01
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:784:120:WilError_01
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: shell32.dll
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: ShellExecuteA
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: RBIND
                            Source: ms.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\Desktop\ms.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: ms.exeVirustotal: Detection: 78%
                            Source: unknownProcess created: C:\Users\user\Desktop\ms.exe 'C:\Users\user\Desktop\ms.exe'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\Users\user\Desktop\ms.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: OK
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: I Agree
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Install
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: ms.exeStatic file information: File size 1068032 > 1048576
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: ms.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
                            Source: Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                            Data Obfuscation:

                            barindex
                            .NET source code contains potential unpackerShow sources
                            Source: ASTRO-GREP.EXE.1.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: astro-grep.exe.3.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 13.2.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 13.0.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 17.2.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 17.0.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A34485 push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F711F push cs; iretd
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F7399 push es; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F710D push cs; iretd
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F2F81 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F2A66 push 0000003Eh; retn 0000h
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F4122 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2BE10 pushfd ; retf
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00772A66 push 0000003Eh; retn 0000h
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00774122 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_0077711F push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00777399 push es; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00772F81 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_0077710D push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00432F81 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_0043710D push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00437399 push es; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_0043711F push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00434122 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00432A66 push 0000003Eh; retn 0000h
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\nsDialogs.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\StartMenu.dllJump to dropped file
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile created: C:\Users\user\AppData\Roaming\astro-grep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\LangDLL.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior

                            Boot Survival:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrepJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                            Source: C:\Users\user\Desktop\ms.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                            Source: astro-grep.exe, ms.exeBinary or memory string: SBIEDLL.DLL
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 6128Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4840Thread sleep time: -45000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4920Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406033 FindFirstFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00402688 FindFirstFileA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                            Source: ms.exeBinary or memory string: vmware
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                            Source: astro-grep.exe, 0000000D.00000002.465070597.00000000050B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information queried: ProcessInformation

                            Anti Debugging:

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2BC64 CheckRemoteDebuggerPresent,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A34991 SetUnhandledExceptionFilter,
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A32701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEMemory allocated: page read and write | page guard
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Program Manager
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progman
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A35173 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                            Lowering of HIPS / PFW / Operating System Security Settings:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job2Access Token Manipulation1Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                            Default AccountsScripting1Registry Run Keys / Startup Folder1Process Injection12Scripting1LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain AccountsNative API1Logon Script (Windows)Scheduled Task/Job2Obfuscated Files or Information111Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsCommand and Scripting Interpreter2Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsScheduled Task/Job2Network Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion41Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 450276 Sample: ms.bin Startdate: 17/07/2021 Architecture: WINDOWS Score: 52 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected AsyncRAT 2->64 66 5 other signatures 2->66 8 ms.exe 3 2->8         started        11 astro-grep.exe 15 2 2->11         started        process3 dnsIp4 36 C:\Users\user\AppData\...\ASTRO-GREP.EXE, PE32 8->36 dropped 38 C:\Users\user\...\ASTROGREP_SETUP_V4.4.7.EXE, PE32 8->38 dropped 15 ASTRO-GREP.EXE 7 8->15         started        19 ASTROGREP_SETUP_V4.4.7.EXE 12 46 8->19         started        50 185.195.232.251, 49728, 49729, 49735 ESAB-ASSE Sweden 11->50 52 pastebin.com 104.23.98.190, 443, 49727 CLOUDFLARENETUS United States 11->52 70 Antivirus detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 file5 signatures6 process7 file8 40 C:\Users\user\AppData\...\astro-grep.exe, PE32 15->40 dropped 54 Antivirus detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->58 21 cmd.exe 1 15->21         started        24 cmd.exe 1 15->24         started        42 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 19->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\StartMenu.dll, PE32 19->46 dropped 48 8 other files (none is malicious) 19->48 dropped signatures9 process10 signatures11 68 Uses schtasks.exe or at.exe to add and modify task schedules 21->68 26 conhost.exe 21->26         started        28 schtasks.exe 1 21->28         started        30 astro-grep.exe 2 24->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        process12

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            ms.exe78%VirustotalBrowse
                            ms.exe100%AviraTR/Dropper.Gen
                            ms.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%VirustotalBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe2%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe5%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe2%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE5%MetadefenderBrowse
                            C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE4%ReversingLabs

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            3.0.ASTRO-GREP.EXE.5f0000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.5f0000.0.unpack100%AviraTR/Dropper.GenDownload File
                            17.2.astro-grep.exe.430000.0.unpack100%AviraTR/Dropper.GenDownload File
                            13.2.astro-grep.exe.770000.0.unpack100%AviraTR/Dropper.GenDownload File
                            1.0.ms.exe.a30000.0.unpack100%AviraTR/Dropper.GenDownload File
                            17.0.astro-grep.exe.430000.0.unpack100%AviraTR/Dropper.GenDownload File
                            1.0.ms.exe.a4b130.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                            13.0.astro-grep.exe.770000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack100%AviraHEUR/AGEN.1110362Download File
                            1.2.ms.exe.a4b130.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                            1.2.ms.exe.a30000.1.unpack100%AviraTR/Dropper.GenDownload File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://pastebin.com43l0%Avira URL Cloudsafe
                            https://pastebin.comD83l0%Avira URL Cloudsafe
                            https://pastebin.comD83lh;0%Avira URL Cloudsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            pastebin.com
                            		104.23.98.190
                            		truefalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://pastebin.com43lastro-grep.exe, 0000000D.00000002.462183818.0000000002B36000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008ICSharpCode.AvalonEdit.dll.5.drfalse
                                		high
                                http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081ErrorICSharpCode.AvalonEdit.dll.5.drfalse
                                  		high
                                  http://icsharpcode.net/sharpdevelop/avaloneditICSharpCode.AvalonEdit.dll.5.drfalse
                                    		high
                                    https://pastebin.com/rawastro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpfalse
                                      		high
                                      https://pastebin.com/raw/VTByvKGMastro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpfalse
                                        		high
                                        http://astrogrep.sourceforge.net/Ihttp://www.gnu.org/copyleft/gpl.htmlAstroGrep.exe.5.drfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/envelope/NLog.dll.5.drfalse
                                            		high
                                            https://pastebin.comD83lastro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462336171.0000000002C73000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462353763.0000000002C96000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462305606.0000000002C51000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://nlog-project.org/NLog.dll.5.drfalse
                                              		high
                                              https://pastebin.comD83lh;astro-grep.exe, 0000000D.00000002.462235560.0000000002B82000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://nsis.sf.net/NSIS_ErrorErrorASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000003.256251943.000000000074E000.00000004.00000001.sdmp, ms.exefalse
                                                		high
                                                https://www.nuget.org/packages/NLog.Web.AspNetCoreASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.drfalse
                                                  		high
                                                  http://nlog-project.org/ws/TNLog.dll.5.drfalse
                                                    		high
                                                    http://downloads.sourceforge.net/astrogrep/readme.txtAstroGrep.exe.5.drfalse
                                                      		high
                                                      http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsepNLog.dll.5.drfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ms.exefalse
                                                          		high
                                                          http://nlog-project.org/dummynamespace/NLog.dll.5.drfalse
                                                            		high
                                                            http://downloads.sourceforge.net/astrogrep/AstroGrep.exe.5.drfalse
                                                              		high
                                                              http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessagesNLog.dll.5.drfalse
                                                                		high
                                                                http://www.gnu.org/copyleft/gpl.html#SEC3AstroGrep.exe.5.drfalse
                                                                  		high
                                                                  http://astrogrep.sourceforge.net/download/AstroGrep.exe.5.drfalse
                                                                    		high
                                                                    http://astrogrep.sourceforge.net/version.htmlUhttp://astrogrep.sourceforge.net/download/Whttps://souAstroGrep.Common.dll.5.drfalse
                                                                      		high
                                                                      http://nlog-project.org/ws/NLog.dll.5.drfalse
                                                                        		high
                                                                        http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTNLog.dll.5.drfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameASTRO-GREP.EXE, 00000003.00000002.250692664.0000000002A34000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://pastebin.comastro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://pastebin.comastro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingICSharpCode.AvalonEdit.dll.5.drfalse
                                                                                  		high
                                                                                  http://nlog-project.org/ws/3NLog.dll.5.drfalse
                                                                                    		high
                                                                                    http://schemas.microsofastro-grep.exefalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQICSharpCode.AvalonEdit.dll.5.drfalse
                                                                                      		high
                                                                                      http://nlog-project.org/ws/5NLog.dll.5.drfalse
                                                                                        		high
                                                                                        http://astrogrep.sourceforge.netAstroGrep.exe.5.drfalse
                                                                                          		high
                                                                                          http://www.gnu.org/copyleft/gpl.htmlAstroGrep.exe.5.drfalse
                                                                                            		high

                                                                                            Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            185.195.232.251
                                                                                            		unknownSweden
                                                                                            		39351ESAB-ASSEfalse
                                                                                            104.23.98.190
                                                                                            		pastebin.comUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                                                            Analysis ID:450276
                                                                                            Start date:17.07.2021
                                                                                            Start time:22:36:15
                                                                                            Joe Sandbox Product:CloudBasic
                                                                                            Overall analysis duration:0h 9m 53s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:light
                                                                                            Sample file name:ms.bin (renamed file extension from bin to exe)
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                            Number of analysed new started processes analysed:34
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • HDC enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Detection:MAL
                                                                                            Classification:mal52.troj.evad.winEXE@19/26@1/2
                                                                                            EGA Information:Failed
                                                                                            HDC Information:
                                                                                            • Successful, ratio: 13.8% (good quality ratio 11.6%)
                                                                                            • Quality average: 70%
                                                                                            • Quality standard deviation: 37.1%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 74%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 0
                                                                                            Cookbook Comments:
                                                                                            • Adjust boot time
                                                                                            • Enable AMSI
                                                                                            Warnings:
                                                                                            Show All
                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                            • TCP Packets have been reduced to 100
                                                                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 23.211.6.115, 20.82.210.154, 23.35.236.56, 40.112.88.60, 20.82.209.183, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                                                                            • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            22:37:25Task SchedulerRun new task: astro-grep path: "C:\Users\user\AppData\Roaming\astro-grep.exe"

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            185.195.232.251astro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                104.23.98.190C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/npsqXhuQ
                                                                                                uwoYazbVds.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/npsqXhuQ
                                                                                                u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/BCAJ8TgJ
                                                                                                EU441789083.docGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/BCAJ8TgJ
                                                                                                b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                4av8Sn32by.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                22NO7gVJ7r.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                rE7DwszvrX.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                VjPHSJkwr6.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                pastebin.comastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                banload.msiGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                SecuriteInfo.com.Trojan.PackedNET.721.17987.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                6rg5Enu1ks.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                banload.msiGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                t3uss3bjUL.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                h3Y0CRAJyq.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Order Request.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                4fy0Wb1EUX.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                CYzY9Pi2ny.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                42C75D53ACD263FF2B2DAD511E40E0E40E9A6119BAA68.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                Request For Quotation.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Lr2Hm9rVac.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                XoN2GgRiga.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                vEJ2Mfxn6p.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                CLOUDFLARENETUSastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                glupteba.exeGet hashmaliciousBrowse
                                                                                                • 104.21.63.250
                                                                                                E2QIvDXi7H.exeGet hashmaliciousBrowse
                                                                                                • 104.21.83.89
                                                                                                JHECEQl1ML.exeGet hashmaliciousBrowse
                                                                                                • 172.67.220.44
                                                                                                UwvHsxxITi.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.209
                                                                                                gVI2IrBzjJ.exeGet hashmaliciousBrowse
                                                                                                • 172.67.201.250
                                                                                                y54fD0dMcF.exeGet hashmaliciousBrowse
                                                                                                • 104.21.87.184
                                                                                                WR0MTpWkYC.exeGet hashmaliciousBrowse
                                                                                                • 172.67.193.180
                                                                                                LPY15536W4.exeGet hashmaliciousBrowse
                                                                                                • 104.21.84.71
                                                                                                SecuriteInfo.com.Trojan.Inject4.14369.15008.exeGet hashmaliciousBrowse
                                                                                                • 162.159.134.233
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 162.159.138.232
                                                                                                7vLHRD4IdanbLrE.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                PTELOONB39-67.exeGet hashmaliciousBrowse
                                                                                                • 172.67.215.158
                                                                                                o2fAkrQ43w.exeGet hashmaliciousBrowse
                                                                                                • 104.21.51.99
                                                                                                ATT62725.HTMGet hashmaliciousBrowse
                                                                                                • 104.18.11.207
                                                                                                WAdStf9Llw.exeGet hashmaliciousBrowse
                                                                                                • 104.21.51.99
                                                                                                P.O 16.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                F6w8Ll8iWU.exeGet hashmaliciousBrowse
                                                                                                • 162.159.133.233
                                                                                                PCgYjH5fEn.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.209
                                                                                                another.dllGet hashmaliciousBrowse
                                                                                                • 104.20.185.68
                                                                                                ESAB-ASSEastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 185.195.232.251
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 185.65.135.248
                                                                                                NotificationApplicationspdf.exeGet hashmaliciousBrowse
                                                                                                • 141.98.255.146
                                                                                                SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                                                • 185.65.135.248
                                                                                                5icstaf5i1.exeGet hashmaliciousBrowse
                                                                                                • 45.83.220.209
                                                                                                aY5UWK4jxg.exeGet hashmaliciousBrowse
                                                                                                • 45.83.220.209
                                                                                                ewlD3Dwdxy.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.182
                                                                                                byodInstCL.exeGet hashmaliciousBrowse
                                                                                                • 193.32.127.38
                                                                                                SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                • 185.195.232.251
                                                                                                PD0ssyK178.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                EpVgl7WUGD.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                tgv7RXFab7.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                7niXcdi1SU.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                9gee3iCc4N.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                l3eFnAYO6a.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                X97zFKQz4Q.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                jf1w8rsogr.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                s1G5ZwG3Yb.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                3ZhSP5SXgW.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                wvS1iVG3MK.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                54328bd36c14bd82ddaa0c04b25ed9ady54fD0dMcF.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                SO-19844 EIDCO.ppamGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                7vLHRD4IdanbLrE.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                IdDetails.ppamGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                P.O 16.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                F6w8Ll8iWU.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Sirus.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                New Purchase Order-030220.pptGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                ReGQ1vAQp9.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                DHL_119040 Beleg.pptGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                order 0721 Review .doc.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                6rg5Enu1ks.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                RFQ REF R2100131410 pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                samples.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                265.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Supwaize2.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                download.dat.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                WindowsFormsApp1.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                  C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                    C:\Program Files (x86)\AstroGrep\NLog.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                      C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                        C:\Program Files (x86)\AstroGrep\AstroGrep.exeastro-grep-setup.exe.docGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7168
                                                                                                          Entropy (8bit):4.487949196682819
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:+2x9scF3MzO5l+9B9Q6uyT4A3KXr7HazHJ/ylHj/V3ojWNta1FYcCe:5x938OYLsA3YgwN5RszYcCe
                                                                                                          MD5:A06B34EE8AD3B52CE1C76847FC7991A0
                                                                                                          SHA1:D52CBED52AD91E5D297E3F96D7AAA1476A42F087
                                                                                                          SHA-256:0822F460D448356DAE96963C1A56DA2553FE6BB6A859B1646D1A76DBC346F03C
                                                                                                          SHA-512:B4741046E83A89FBFB8848AC649E22D1773B54F5B6C96EE49057C12ADE502DE5594C706BAE140FEF864F3FB1A585A0F8D840C5369073561189C9665CD5FD2CD2
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.\.............................-... ...@....@.. ....................................@..................................,..S....@..P....................`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................-......H........"...............................................................0..T.........i.1M..i.0G..~.....r...p......(....&...r)..pr-..po........r)..pr-..po........(....*.0..........~....r/..p.o.....~....rO..p.o.....~....r...p.o......9q....9k....9e....99....r...po......r...po.......r...po.......93.....9,.....9%....r-..p.r...p(....o......r-..p.r...p(....o......r-..p.r...p(....o.....r...pr...p.(....o......r...pr...p.(....o......r...pr...p.(....o.....r...po........r...po........r.
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe.config
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):175
                                                                                                          Entropy (8bit):5.022488547778473
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:vFWWMNHU8LdgCQcIMOoT02VK/FlURAmIRMNHjFHr0lUfEyhTRRAoe+RAW4QIMOov:TMVBd1I002VKNa7VJdfEyFRRAoeuAW44
                                                                                                          MD5:57717DA46BD278CA043D8101847D8FF4
                                                                                                          SHA1:D93BAADBB3C644D841D7AA4E95DCD76F9897BD05
                                                                                                          SHA-256:12D08F2857A02B5A4EF5DF6EC2D840296AAC4C219704B2FB6F15A7571230A4C5
                                                                                                          SHA-512:A054A7FD69E4A643286212FEDABDE4BDFB36BBF3E7F9FC33524BA8DFECBC375E991C23B4E047F5F235A77E9D6A525F996934A4A993B61E1FE7D84066FF972DF1
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>...</startup>..</configuration>..
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):9216
                                                                                                          Entropy (8bit):4.660156886149009
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:MPL93AfzEbqrlLH945OKtueaQJ6BLcSEeC137:MsEbyHGscu3DdkxL
                                                                                                          MD5:2F2899673ABB136BFC8B92A6D3BAFF33
                                                                                                          SHA1:5BE14D5C58AF9F78858DD5E9ED6CD929F87AC0B4
                                                                                                          SHA-256:0E7A71232FB6676777A823ADDB4776BD895ABBE29EA2487110073BD0C5FF6AA6
                                                                                                          SHA-512:CF5B23F4E5417DDC4AB5A354E7EA90C5CCE28133DE7D1AE260F0879E474727DBB73E47C9CB92A98BD5B6F6EBCFC67CD955423FA1615A0D7C24783415325200CA
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!.................9... ...@....... ....................................@..................................9..K....@.......................`......H8............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......@$...............................................................(....,.(....o....(....*..(....~....(....*...0..........(....r...p(.........(....r...p(.........~....~....r...p(....(.........~....~....r...p(....(.........(....o....(.........(....o....(.........*..(....*..{....*"..}....*..{....*"..}....*^~....-.s.........~....*..0...........(....s.....s......r1..p.o.....~....}......{....(....o.....~....(....o.....r;..p(....o .... ..P.jo!.....o".....o#...r...p~$....s%...
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):573440
                                                                                                          Entropy (8bit):6.183835631467389
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:uibf6/zxXrXyhwSl9LndCXlhqNWvgVYODH9zG5X1LeihaBQSa:ifEWOYODH9zoX1Le/
                                                                                                          MD5:202C965DE1291E773F7DAE0C495253FB
                                                                                                          SHA1:13EB40E5DF525388D7A2AD18B1720FED78C5EE13
                                                                                                          SHA-256:3138155ABD6A9BADDB63869CD34BF0492718929E910CB4F38BC1767507932B4F
                                                                                                          SHA-512:97445E848DA86876AB324B9C6EC2D27F51BE753ABF1956A79829763F92363B9B7C05A232F876C97A66653109505BAE94BB2B85B53E6F9697698EF8EA2FD21F7A
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 2%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\.................0...........E... ...`....... ....................................@..................................E..W....`...i........................................................................... ............... ..H............text....&... ...0.................. ..`.rsrc....i...`...p...@..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.exe.config
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):237
                                                                                                          Entropy (8bit):4.960108368394514
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:TMV0kIffVKNC7VJdfEyFRRAopuAlKNjSt+gP9XWRM5W4QIT:TMG13VOcr6U9wNutJP9UMo4xT
                                                                                                          MD5:502C63E84CACC88FA782EEC1772EFF68
                                                                                                          SHA1:BA6138741633C60D1C92C7C25DDE15D378C0C324
                                                                                                          SHA-256:FE3405C9535DCE3857908E6740099227B7D55CF78A15676D440E781E04EA17BD
                                                                                                          SHA-512:EBA2DD5216BB3293BB3101A5CDADDEF0B4A94577159A8A0654F712F9939F1D03FF670DA6DF0B5F4475D593EDDF330E76E2F6EB19B19E3E51C2EA53A74ACC59B3
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>.. </startup>.... <runtime>.. <gcAllowVeryLargeObjects enabled="true" />.. </runtime>..</configuration>
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep_256x256.png
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6813
                                                                                                          Entropy (8bit):7.898680227457462
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:djkp/iNmEYXGtZEV2QWEgFmPPqlqCSKG1Ief:hmiNmTP733q+XR
                                                                                                          MD5:2143826EABE773D3206333B65C2FC67B
                                                                                                          SHA1:B75806940C971C2BB8584E1028EFA512F8AA5646
                                                                                                          SHA-256:8A50671F22D64A0131C9FFE23B3777862172F6D5C63B48C94DFE0FE8E8D62D06
                                                                                                          SHA-512:3D0611BEE13D6A397D5FB3F2E924829360596891DBCFDE1EC0FCE25F2DDEE62D50A10ABA31827334FE12867C508694BB8FB3F72604FC08A1CD323C2615C2F3FF
                                                                                                          Malicious:false
                                                                                                          Preview: .PNG........IHDR.............\r.f....sRGB.........gAMA......a.....pHYs...3...3.\.......tEXtSoftware.paint.net 4.0.5e.2e....IDATx^.=.]Uv.)......Gr1.........<....K...((((\X.........<.'r...f...I..D@.`.3a&.B.C...``.0~o......y...{...?.K......Z.....u..mS8.~.W..c..i.4x..M\J\....v..S...s.=....1....!U.S.Ri...w...N.3....>......2..,...2.T6...J3.).../.....*......{........xN....`.i.m._.j.E*.fap.'.K`./.Mp...xc...,.z...F...Ri.....<.x.....qOW2..6..L......UWfX...8....t...[..t...*{Y7.....4.E*....9hw...|.t..s.R......=..."`.....T...v.o..W=.y.|......4Y.......H.Y.8&.....|w...~.X...X....-.bH...8...^.]...~.....y....'%-.T.........^.2..k.9.%.&Y....w..D*.4p....>_=.7>l.n2.<..1...4w.3%......G....M...epL....T.I.s4....x.n.i.f=...V.?.6......e.,.$......).n.q..Q..-#.-....W:I8L.W.M.-...+.h..l.8...si.r.S...N..........!.b......hk.N|..P>..RY;h...7.......9wBzH.J.He...../.F'..7]..o.|.V..F........1A..}.....@c.....%^.gf.....~..T.....|1...:f^.W.;O*...,.4.......E...}...k.#.%
                                                                                                          C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):626688
                                                                                                          Entropy (8bit):6.014937851800105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:Oo7n6u1n5vp9yRUmqtM0yRrl0pjoeUy8b01vKbZ/gAGl0gUEdYC:OoLDnwmW0yRr88bwKKdf
                                                                                                          MD5:B4D5D46E50006E87B30E7D514E95173C
                                                                                                          SHA1:BD3BA298EB7E4CDBFDF29E3992BE7D32A4E792EB
                                                                                                          SHA-256:058F38F33F3F99F904AB9588447A234346C859718404B4E8A523673ED19CDBE7
                                                                                                          SHA-512:38FF7CADA6CFA56AF812A1D859AAC4FB8B94DF50454A9FECC55E4FDB159339F6BA885D0B57FE8C522227DD9280CDA0CA21C6A073B6552923FA33F6E77D8F3BC5
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.Y...........!.....`... ......~.... ........@.. ..............................).....@.................................,...O.......8............................}............................................... ............... ..H............text...._... ...`.................. ..`.rsrc...8............p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\NLog.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):784384
                                                                                                          Entropy (8bit):6.017097344038701
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:/n77J/zrlPjThZdvTU585ZqmjlJzAF7GVj8TcpkMcaQD3SaB5mUsQ:/n77J/zrlPjThZdv55ZbIF7GVje4kRD5
                                                                                                          MD5:063D7646038B3676CA4BBCCF8CD9736C
                                                                                                          SHA1:DE90082E366938A3D1BB16A9B5BBB4D692F620D4
                                                                                                          SHA-256:F809128B8E35F20A0407F9642AEFA1A64D2B5494F024F5EC403B712C67441ECD
                                                                                                          SHA-512:BB50F12A9B5DE65752B7AFDDF82726A82BB06DF8B6B16712385663981DA810189FA9B72FA45122B3C57719D9EB626BB5D1D90B29D833851A4AA08E35B6FDB923
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#............." ..0.................. ... ....... .......................`......0.....@.................................3...O.... .......................@......d...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................g.......H............L..........4..............................................."..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(X...~....,.~.....oY......+...(......oZ......,..([....*........../7......"..(....*6.(.....(S...*..0..........(.......o\...&.*.(....o]...*2(.....oY...*....0..?.......~..........(X...~....,.~.....oY...+...(.....o^...&...,..([....*.........,4.......0..?.......~..........(X...~....,.~....o_......+...(....o`......,..([..
                                                                                                          C:\Program Files (x86)\AstroGrep\Uninstall.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Category:dropped
                                                                                                          Size (bytes):61854
                                                                                                          Entropy (8bit):6.589895956298641
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:Gw4fpS/nScizHM74N0DIDidcfgdLeAyN9jWtNixGl:Gw4gnScG4DI2dcfceAkWrixq
                                                                                                          MD5:15BDDE25A8A23AAFB0E593D4A1F145B6
                                                                                                          SHA1:250EC8FEA74A2EAC9A1BD3DA1ABF5AC91D1962D7
                                                                                                          SHA-256:4118177FBD02533C449D3D02168300DA1D5B24052B10877A3B4BC03E27C5C375
                                                                                                          SHA-512:3AFB05064722B5616EA74BC8C8E6C50D6EB8F1125AC333339430D05FAE89E445753E45DD5FDCA17E9BE9A94BCA67B3E2B31EEB52DAF2AF3BEC47D0A1EC1ABD03
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\astrogrep.VisualElementsManifest.xml
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):303
                                                                                                          Entropy (8bit):5.268121017723893
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:ejHyWc4subuVFWod/NDhkQwYnF4kQwYWadTZ/FhYWadTZ/FeXXKhdNc0SDSFQ:ebvyWW/meZsR1sR8drDGQ
                                                                                                          MD5:824E6132D30D647AED6E9EE3C2DA12C9
                                                                                                          SHA1:DCBE8CAB6784AA26BC9A4F0DC5B60D9733A49F74
                                                                                                          SHA-256:01BF1A694FAF44953B592D1C237D3F93C1B8B346476C30E638C1FAAD0201386B
                                                                                                          SHA-512:DABC61D48723B53C95EE7BBDDB92261E724054CDCE4F9616B0338CACE8F8A9667CAC087C131D8A83BEE68875436F08F9A313F70EA5B85A46989D2B21C84F0541
                                                                                                          Malicious:false
                                                                                                          Preview: <Application xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>.. <VisualElements.. ShowNameOnSquare150x150Logo='on'.. Square150x150Logo='AstroGrep_256x256.png'.. Square70x70Logo='AstroGrep_256x256.png'.. ForegroundText='light'.. BackgroundColor='#fb7f06'/>..</Application>
                                                                                                          C:\Program Files (x86)\AstroGrep\libAstroGrep.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):237568
                                                                                                          Entropy (8bit):5.286872988422086
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:1QwCS0adLYzS+L5VsbeNcg2IZOz3eJJ9oA3fGu51O+q4gbPaYgVXLRn/qR8H6K69:1QwCAdLy/mucxIUKPOufGu5m4fr
                                                                                                          MD5:6E3AFEF0BD6B7EC03007CCDD76F85447
                                                                                                          SHA1:8B434EAB09D948FAC57E98F312C8B24381873374
                                                                                                          SHA-256:B268CDA0D5F431E0CB86FFF8A39420AC03DFC9C498CAE702F859904B79307EDE
                                                                                                          SHA-512:E10EC66C764584AD80D47C1B0CF64B61EBBE3B4E72D2CA05BCDAB5B62F4E3F6FE17A1C37EED9D87A678B8C3D42E6534DE9EE95BF204CA815426EA28935633894
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!................n.... ........... ....................................@.....................................S................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...........X...........................................................^~....-.s.........~....*...}..... .I..}.....(......{....s....}.....s....}....*6.{.....o....*v.{.....o....,..{.....o....*.*r.{.....o....,..{.....o....&*..0...........{.....o....,(.{......o.....{.....o....&.{.....o....&*.{......o.....{....o.....{....1'.{.....{....o....o ...o!...&.{....o"....{.....o....&*..0...........(.....(#...o$...r...p.{....o.....o...+.s&.....o'...o(...-..o'...o).....s*......s+....s,....
                                                                                                          C:\Program Files (x86)\AstroGrep\license.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):18330
                                                                                                          Entropy (8bit):4.736471809051081
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDTj:lzuVLiY+rTZo0sDTj
                                                                                                          MD5:1324A1677693CF2A399CC9424C756CC3
                                                                                                          SHA1:2F29E68AB545965C401A12CE4783F7314E658AF3
                                                                                                          SHA-256:A4BD518E7F66B63A62035C0C542B5F3287BAF7138E13A0F6A30781D8730D766A
                                                                                                          SHA-512:2FD47275325B3605A9B982704BABFAD72D5AF3048064C66554F00F4D4D264DF252697F1D52733F6C87FBB3927A9FDD48ACF94B2E9475FD52334EFA12EA9F0B5A
                                                                                                          Malicious:false
                                                                                                          Preview: .. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi
                                                                                                          C:\Program Files (x86)\AstroGrep\readme.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1834
                                                                                                          Entropy (8bit):4.931632926415765
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:CGEEY1zF17X+B41FcMEEn+0MJ/cIr3EQZ1WrT5M5tmZNijpibbCT32yvosGQC:tYFFN+B41eM2UvQL0T1Fzy/GZ
                                                                                                          MD5:ABE9A78B3FD8ECD7409C2B382820134E
                                                                                                          SHA1:9AEC458EA30060EE633BD25D235C02AAEFF989D1
                                                                                                          SHA-256:B17BBDB71C888116A8661B373CA088C9B174E00551DF81B887EE9BCA28492189
                                                                                                          SHA-512:0F554B3BA4749B22728D303B7AC1BD7596CCAE5A51D0F06560AA829222DD5DFF31F089C2D5894A23D97093836A76595EA5BAA4441EAC4DF44C321F14CD554A3D
                                                                                                          Malicious:false
                                                                                                          Preview: .Changelog for AstroGrep v4.4.7..===================================================================..Bugs..-85: Possible issue with word plugin and leaving winword.exe process open...-98: Error "the string was not recognized as a valid DateTime"..-100: Performance issues..-101: Searching Multiple MS Word Documents..-102: Context Lines Display Discrepancy..-103: Astrogrep 4.4.6 hangs clicking on found file..-104: commandline spath not accepting multiple searchPath..-108: Used ListSeparator on right mouse "Copy all"..-109: Command Line issues - Check logic and docs..-113: Feature 108 is not working (Add additional text editor parameter for search text)....Featured Requests:..-101: Stopped painting status bar as often..-110: Exclude directories that do not match pattern (added not equals option for path based options)..-119: Added line hit count to count column values (format: total / line in current Count column)..-122: Add option to only show x chars before/.after matched text..-12
                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnk
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 4 19:57:44 2019, mtime=Sun Jul 18 04:37:27 2021, atime=Thu Apr 4 19:57:44 2019, length=573440, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1110
                                                                                                          Entropy (8bit):4.634964714009965
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8mQzdPRmdOEop//OVlOUA7Ly5SdfmvdfvQUUtU7aB6m:8mcPRmdOrN/ClOj7Ly5SdfmvdfvFqxB6
                                                                                                          MD5:4E02F0D58593649DB109E42966511216
                                                                                                          SHA1:1F261578B7374A22C5727AFBA3CEDE9C8827990C
                                                                                                          SHA-256:9969E124D26F04D61C2BC62A9109C720B4826DF21EB92ADD4206FA52BE3B341B
                                                                                                          SHA-512:1CB19D3FF59E0A6773424B7CD5204F75BCCAE1A90D923F5E9A40E7381D12722A5480B68F65D731C6E18E167EC9FC7854F746DADD2ED6A67CAEB380603B5FD7B7
                                                                                                          Malicious:false
                                                                                                          Preview: L..................F.... .......).....i..{......)................................P.O. .:i.....+00.../C:\.....................1.....>Qwx..PROGRA~2.........L..R.,....................V....._...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1......R.,..ASTROG~1..D.......R.,.R.,.....Y......................E.A.s.t.r.o.G.r.e.p.....h.2......N6. .ASTROG~1.EXE..L......N6..R.,.....Y........................A.s.t.r.o.G.r.e.p...e.x.e.......]...............-.......\...........%?t......C:\Program Files (x86)\AstroGrep\AstroGrep.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.A.s.t.r.o.G.r.e.p...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.........`.......X.......114127...........!a..%.H.VZAj...R..-.........-..!a..%.H.VZAj...R..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2
                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnk
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 18 04:37:27 2021, mtime=Sun Jul 18 04:37:27 2021, atime=Sun Jul 18 04:37:27 2021, length=61854, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1110
                                                                                                          Entropy (8bit):4.665663359768743
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8m1aRvdOEopF/g+taHfUA7LMdfOhgdfvQUUKj7aB6m:8m1aRvdOrf/g+taHfj7LMdfOhgdfvFND
                                                                                                          MD5:F26EA75861C05D224B5375D6BF24E6FE
                                                                                                          SHA1:F21F56ADF6987A9A8E5A269817A4BC8574C78AF3
                                                                                                          SHA-256:BC15264E99D05B6459DEC01BBF8D55AEAD2E6CDBC166EE0578F217E350E3CA90
                                                                                                          SHA-512:9D5F1CFB1E8EF08D2D8F00D8F9B418C2AB820D09C417A50A1162F6029BA090D0E3A6D05AA1C313E152030D244520697D7BC4F3A5D5C9E73357BBA46A0E126251
                                                                                                          Malicious:false
                                                                                                          Preview: L..................F.... .....|..{...~..{...~..{...............................P.O. .:i.....+00.../C:\.....................1......R.,..PROGRA~2.........L..R.,....................V......E[.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1......R.,..ASTROG~1..D.......R.,.R.,.....Y....................tmC.A.s.t.r.o.G.r.e.p.....h.2......R., .UNINST~1.EXE..L.......R.,.R.,.....Z....................9.A.U.n.i.n.s.t.a.l.l...e.x.e.......]...............-.......\...........%?t......C:\Program Files (x86)\AstroGrep\Uninstall.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.U.n.i.n.s.t.a.l.l...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.........`.......X.......114127...........!a..%.H.VZAj...q..-.........-..!a..%.H.VZAj...q..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ASTRO-GREP.EXE.log
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):614
                                                                                                          Entropy (8bit):5.330897468506462
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4Mq92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4x84j
                                                                                                          MD5:A4395C8F90A59E4CC7F7923D8BDE437C
                                                                                                          SHA1:A8E9EBD5CDF81E720979E795391EF2440CE5DA4A
                                                                                                          SHA-256:F84DFD4D4F8BA0113ED2C0394868B1E4C8F83850DE051FA599621098C190FE6E
                                                                                                          SHA-512:7F1F159667C7F4A9E60E272DF00A2D33A72816F35FEF1DAD37F17B089E506D1CCC0350D569690230F53A44DB49FFDB81BC6E47B7F96BB4469395926F3BC953D3
                                                                                                          Malicious:false
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                          C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          Process:C:\Users\user\Desktop\ms.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):48640
                                                                                                          Entropy (8bit):5.561770945961325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                                                          MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                                                          SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                                                          SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                                                          C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          Process:C:\Users\user\Desktop\ms.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Category:dropped
                                                                                                          Size (bytes):950654
                                                                                                          Entropy (8bit):7.974042856320811
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:2MhCG3sDOdqnRrLVvjD9puJ7li2OLUC0Dc/rP0flxwg:AG3sJpRvjhU7I2OLZD/LUr7
                                                                                                          MD5:A708211241313FEAF9621E571631534D
                                                                                                          SHA1:9F398E0CC5B2B5162D5F27A6653709F836D02998
                                                                                                          SHA-256:5C4FAEBE335FEE04B25B10AA2A0E580571388BDE2CC09E133C72D9D01BC09423
                                                                                                          SHA-512:8E2FA5F33E16879D8F5ACB4AB783AA4B4B37266CD1346ABEF5D54F2DFEB2177AF872575780E2E7CD02E462349B1C35642C0F7BA3F860034775A064E9A07B08AF
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\LangDLL.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):5632
                                                                                                          Entropy (8bit):3.936685359308878
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:im1qsjq8W2MPUptuMMFvx/om/ycNSCwVGfOY0vB6/JvR0Jvof5d2D:F1iBl91Z7/ycNSCwV8TLZR0gd2
                                                                                                          MD5:91D5E21907E4BAFF0145339311ABF9D9
                                                                                                          SHA1:F867D8529D4F3704CD4F475B46699B66CB6C2002
                                                                                                          SHA-256:ACDE373CC4916BE5DF3D239AB67F5980C333E979F34965EE733E7C6259586E9B
                                                                                                          SHA-512:339E35B89F2AC7D2FBE9DFD9A55279D20463F7C298332810C0EBAA5DE95E09657F4B2837904AE16A8743C4C7ABF7F3C7581099BC94312C178A21783288790401
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.}.}.}.e.....z.)........|....|.Rich}.........PE..L....z.W...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...h........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\StartMenu.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7680
                                                                                                          Entropy (8bit):4.616039420427882
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:HgiqVPb3X8K8Kdr3gEq6nNdMk6Qiw290+q6LDtJ1tU3hhEl7y:HgiqVPgK8K9eIdE9B/tMhg7
                                                                                                          MD5:9CE20025DEF637F7BE257FA96D25ED05
                                                                                                          SHA1:CFEE47F72804FFACD06C2254A5F8DCF47373F9D4
                                                                                                          SHA-256:4B17C914DC40EBA477B653715F07CE9ED9B2EF4A1264A1DAFD624EB289474243
                                                                                                          SHA-512:AFCE99F1BD803E1B744E33302BA2C85C1122487F2BDF006CA433FE93DB2778A6D68D239D927CE7149443F411A12A4FAC2195D6D01AEC4071C71B8F332C96BDFB
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(...(...(..<'...(.......(..8....(.......(..Rich.(..........................PE..L....z.W...........!........."............... ...............................p.......................................$..e.... ..x....P..(....................`..t.................................................... ...............................text............................... ..`.rdata..U.... ......................@..@.data........0......................@....rsrc...(....P......................@..@.reloc..8....`......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11264
                                                                                                          Entropy (8bit):5.770824470205811
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn
                                                                                                          MD5:B8992E497D57001DDF100F9C397FCEF5
                                                                                                          SHA1:E26DDF101A2EC5027975D2909306457C6F61CFBD
                                                                                                          SHA-256:98BCD1DD88642F4DD36A300C76EBB1DDFBBBC5BFC7E3B6D7435DC6D6E030C13B
                                                                                                          SHA-512:8823B1904DCCFAF031068102CB1DEF7958A057F49FF369F0E061F1B4DB2090021AA620BB8442A2A6AC9355BB74EE54371DC2599C20DC723755A46EDE81533A3C
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....z.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\modern-wizard.bmp
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4
                                                                                                          Category:dropped
                                                                                                          Size (bytes):52988
                                                                                                          Entropy (8bit):1.9568109962493656
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:Qoi47a5G8SddzKFIcsOz3XMoi47a5G8SddzKFIcsOz3Xz:QonoGNd03IonoGNd03/
                                                                                                          MD5:E39731A71ED38499AC6B8E51E8E58E34
                                                                                                          SHA1:F2820C783906CD4F06040B6850856D426519CE15
                                                                                                          SHA-256:A94EF9A36E53192F26D5118F0232B6D7F70943B3CF5A7DF6340A139A226D207B
                                                                                                          SHA-512:F807ED5BE0297462777A82B79D1AAC35CB4FF5FA54DE4D446050A8BB08677488072685A982BFF5A900823C5727196C05EF29B3EEB6ABCD17171C0EF7C3765270
                                                                                                          Malicious:false
                                                                                                          Preview: BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\nsDialogs.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):9728
                                                                                                          Entropy (8bit):5.066422293646434
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:oU2qZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4HpqndYHnxss:oU2q+CP3uKrpyREs06YxqodGn
                                                                                                          MD5:70D4C5F9ACC5DDF934B73FA311ADE7D8
                                                                                                          SHA1:6962E84782B0E1FE798CDCE1D7447211228CA85B
                                                                                                          SHA-256:02869B76936E3C3102BB36E34B41BC989770BF81DCA09F31C561BB6BE52285EE
                                                                                                          SHA-512:40189B463173CBBAD9C5101F37B4A37D970E9CD8E6F3D343CB8E54C54BDC7FDC3CFA8D7D7E7B7B0241C68768607C523BE2C2C21B7EFC727257731E1C5D1673FC
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....z.W...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):154
                                                                                                          Entropy (8bit):5.114193705430011
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:mKDDCMNqTtvL5oWXp5cViEaKC50XVASmqRDWXp5cViE2J5xAInTRI4XSu7ZPy:hWKqTtT6WXp+NaZ50lbmq1WXp+N23fT+
                                                                                                          MD5:005C284BFAC71599AEEDBFFA742E1D45
                                                                                                          SHA1:514D841D9D5C3A86E5A7AB8D77312156980F08E6
                                                                                                          SHA-256:B6D37A30E712121D18DE29C69F9289DB416F87298E031A9BCD103FF2EC8C2C87
                                                                                                          SHA-512:2A5FC7C31D1A62D638F4A8190573458AFF36F0DE37D392DEB932A5A46639475FDC1A9D29AD675B6F74301A5C2E2F4679B67B274313469248CFE312D743F90F6C
                                                                                                          Malicious:false
                                                                                                          Preview: @echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\astro-grep.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp7B21.tmp.bat" /f /q..
                                                                                                          C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):48640
                                                                                                          Entropy (8bit):5.561770945961325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                                                          MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                                                          SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                                                          SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                                                          \Device\Null
                                                                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.41440934524794
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                          MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                          SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                          SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                          SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                          Malicious:false
                                                                                                          Preview: ..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.869948492165745
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:ms.exe
                                                                                                          File size:1068032
                                                                                                          MD5:dbbb611daf3abd47972ae4faf5d54c95
                                                                                                          SHA1:1b33772f2acc9e6673a2922587b00db86f5fba01
                                                                                                          SHA256:d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
                                                                                                          SHA512:140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9
                                                                                                          SSDEEP:24576:jmclmMhCG3sDOdqnRrLVvjD9puJ7li2OLUC0Dc/rP0flxwy:jmzG3sJpRvjhU7I2OLZD/LUr
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N...........

                                                                                                          File Icon

                                                                                                          Icon Hash:e0d08cf8d8ccc8e0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x403248
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x4E1030C0 [Sun Jul 3 09:05:04 2011 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:9222d372923baed7aa9dfa28449a94ea

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          call 00007F1D84AFA47Bh
                                                                                                          jmp 00007F1D84AF83DEh
                                                                                                          mov edi, edi
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 20h
                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          push 00000008h
                                                                                                          pop ecx
                                                                                                          mov esi, 0040920Ch
                                                                                                          lea edi, dword ptr [ebp-20h]
                                                                                                          rep movsd
                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                          mov eax, dword ptr [ebp+0Ch]
                                                                                                          pop edi
                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                          pop esi
                                                                                                          test eax, eax
                                                                                                          je 00007F1D84AF855Eh
                                                                                                          test byte ptr [eax], 00000008h
                                                                                                          je 00007F1D84AF8559h
                                                                                                          mov dword ptr [ebp-0Ch], 01994000h
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          push eax
                                                                                                          push dword ptr [ebp-10h]
                                                                                                          push dword ptr [ebp-1Ch]
                                                                                                          push dword ptr [ebp-20h]
                                                                                                          call dword ptr [00409058h]
                                                                                                          leave
                                                                                                          retn 0008h
                                                                                                          mov edi, edi
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 00000328h
                                                                                                          mov dword ptr [0040DDD8h], eax
                                                                                                          mov dword ptr [0040DDD4h], ecx
                                                                                                          mov dword ptr [0040DDD0h], edx
                                                                                                          mov dword ptr [0040DDCCh], ebx
                                                                                                          mov dword ptr [0040DDC8h], esi
                                                                                                          mov dword ptr [0040DDC4h], edi
                                                                                                          mov word ptr [0040DDF0h], ss
                                                                                                          mov word ptr [0040DDE4h], cs
                                                                                                          mov word ptr [0040DDC0h], ds
                                                                                                          mov word ptr [0040DDBCh], es
                                                                                                          mov word ptr [0040DDB8h], fs
                                                                                                          mov word ptr [0040DDB4h], gs
                                                                                                          pushfd
                                                                                                          pop dword ptr [0040DDE8h]
                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                          mov dword ptr [0040DDDCh], eax
                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                          mov dword ptr [0040DDE0h], eax
                                                                                                          lea eax, dword ptr [ebp+08h]

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [ASM] VS2010 build 30319
                                                                                                          • [LNK] VS2010 build 30319
                                                                                                          • [ C ] VS2010 build 30319
                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                          • [C++] VS2010 build 30319

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbb040x3c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000xf78fc.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1070000x9e4.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x91600x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb2480x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x90000x124.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x78420x7a00False0.589491547131data6.48776813349IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x90000x319e0x3200False0.35390625data4.92389239742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xd0000x1a840xe00False0.215401785714data2.57332081688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xf0000xf78fc0xf7a00False0.948167749874data7.91789788584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1070000x13aa0x1400False0.4107421875data4.12102642331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RBIND0xf3300xbe00PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          RBIND0x1b1300xe817ePE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          RT_ICON0x1032b00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1033d80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1039400x2e8dataEnglishUnited States
                                                                                                          RT_ICON0x103c280x8a8dataEnglishUnited States
                                                                                                          RT_ICON0x1044d00xea8dataEnglishUnited States
                                                                                                          RT_ICON0x1053780x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1057e00x10a8dataEnglishUnited States
                                                                                                          RT_RCDATA0x1068880x6ASCII text, with no line terminators
                                                                                                          RT_RCDATA0x1068900x1very short file (no magic)
                                                                                                          RT_GROUP_ICON0x1068940x68dataEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllCreateFileA, FindResourceA, FreeLibrary, LoadResource, WriteFile, SizeofResource, GetProcAddress, LoadLibraryA, LockResource, EnumResourceNamesA, CloseHandle, FreeResource, GetWindowsDirectoryA, OutputDebugStringA, GetTempPathA, GetModuleHandleW, ExitProcess, DecodePointer, EncodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetStdHandle, GetModuleFileNameW, Sleep, HeapSize, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, LCMapStringW, MultiByteToWideChar, GetStringTypeW
                                                                                                          SHELL32.dllShellExecuteA, SHGetSpecialFolderPathA

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 17, 2021 22:37:53.508532047 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.549875021 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.550003052 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.573781967 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.615372896 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622695923 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622736931 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622780085 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622852087 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.627290964 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.669157028 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.669414043 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.721821070 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.741940975 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.783473015 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103178978 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103368998 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103446960 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:54.106720924 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:54.160128117 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.675015926 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:54.728519917 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:37:55.237852097 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:55.289629936 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.304848909 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:00.348762035 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355060101 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355103970 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355227947 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:00.358524084 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:00.410294056 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.925744057 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:00.977613926 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:01.489135981 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:01.541713953 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.553103924 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:06.604161978 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.604188919 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.608124971 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:06.644505024 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:06.696324110 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:07.222953081 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:07.274882078 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:07.785509109 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:07.837845087 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.850732088 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:12.908596992 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.908648014 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.908916950 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:12.911812067 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:12.963500023 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:13.473674059 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:13.525609016 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:14.036237955 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:14.088299036 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.100507975 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:19.157746077 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.157783985 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.157918930 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:19.160206079 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:19.213813066 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.724245071 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:19.776209116 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:20.286585093 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:20.338562012 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.351782084 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:25.408749104 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.408804893 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.409070969 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:25.411675930 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:25.463526964 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.974564075 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:26.026756048 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:26.537090063 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:26.589363098 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.602516890 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:31.653217077 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.653256893 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.653330088 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:31.654366970 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:31.706090927 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:32.209482908 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:32.263637066 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:32.772141933 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:32.825575113 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.836153984 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:37.889936924 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.889977932 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.890063047 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:37.891079903 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:37.942819118 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:38.444505930 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:38.496376991 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:39.022516012 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:39.074287891 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.086864948 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:44.143095970 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.143187046 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.143276930 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:44.145308018 CEST4974357667192.168.2.3185.195.232.251

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 17, 2021 22:36:53.337261915 CEST5128153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:53.389234066 CEST53512818.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:54.775937080 CEST4919953192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:54.826328993 CEST53491998.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:54.838499069 CEST5062053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:54.897867918 CEST53506208.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:55.527915001 CEST6493853192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:55.585128069 CEST53649388.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:56.656438112 CEST6015253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:56.717106104 CEST53601528.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:57.466645956 CEST5754453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:57.516228914 CEST53575448.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:59.017065048 CEST5598453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:59.077357054 CEST53559848.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:59.952503920 CEST6418553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:00.003014088 CEST53641858.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:00.708069086 CEST6511053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:00.757761002 CEST53651108.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:01.655906916 CEST5836153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:01.708547115 CEST53583618.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:02.530281067 CEST6349253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:02.587483883 CEST53634928.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:03.445619106 CEST6083153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:03.498022079 CEST53608318.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:04.334237099 CEST6010053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:04.391597986 CEST53601008.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:05.231472969 CEST5319553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:05.291542053 CEST53531958.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:06.570487022 CEST5014153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:06.620836973 CEST53501418.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:07.516176939 CEST5302353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:07.578461885 CEST53530238.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:08.355201960 CEST4956353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:08.408332109 CEST53495638.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:09.262511969 CEST5135253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:09.315294981 CEST53513528.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:10.390789986 CEST5934953192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:10.440526962 CEST53593498.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:11.292854071 CEST5708453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:11.350147963 CEST53570848.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:28.351500988 CEST5882353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:28.410435915 CEST53588238.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:32.554102898 CEST5756853192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:32.615664005 CEST53575688.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:45.202723980 CEST5054053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:45.279752970 CEST53505408.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.417326927 CEST5436653192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST53543668.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:02.662139893 CEST5303453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:02.732795954 CEST53530348.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:05.182640076 CEST5776253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:05.244585037 CEST53577628.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.332838058 CEST5543553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:37.399772882 CEST53554358.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:40.676698923 CEST5071353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:40.737597942 CEST53507138.8.8.8192.168.2.3

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Jul 17, 2021 22:37:53.417326927 CEST192.168.2.38.8.8.80xaf53Standard query (0)pastebin.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST8.8.8.8192.168.2.30xaf53No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST8.8.8.8192.168.2.30xaf53No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

                                                                                                          HTTPS Packets

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Jul 17, 2021 22:37:53.622780085 CEST104.23.98.190443192.168.2.349727CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 17 02:00:00 CEST 2021 Mon Jan 27 13:46:39 CET 2020Sun Jul 17 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: ms.exe PID: 4156 Parent PID: 5584

                                                                                                          General

                                                                                                          Start time:22:36:58
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\Desktop\ms.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\ms.exe'
                                                                                                          Imagebase:0xa30000
                                                                                                          File size:1068032 bytes
                                                                                                          MD5 hash:DBBB611DAF3ABD47972AE4FAF5D54C95
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Analysis Process: ASTRO-GREP.EXE PID: 5416 Parent PID: 4156

                                                                                                          General

                                                                                                          Start time:22:37:00
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                                                                                                          Imagebase:0x5f0000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Reputation:low

                                                                                                          Analysis Process: ASTROGREP_SETUP_V4.4.7.EXE PID: 3728 Parent PID: 4156

                                                                                                          General

                                                                                                          Start time:22:37:00
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:950654 bytes
                                                                                                          MD5 hash:A708211241313FEAF9621E571631534D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 5%, Metadefender, Browse
                                                                                                          • Detection: 4%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: cmd.exe PID: 912 Parent PID: 5416

                                                                                                          General

                                                                                                          Start time:22:37:23
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 3820 Parent PID: 912

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: cmd.exe PID: 3352 Parent PID: 5416

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 784 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: schtasks.exe PID: 5996 Parent PID: 912

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                                                                                                          Imagebase:0xcb0000
                                                                                                          File size:185856 bytes
                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: timeout.exe PID: 1364 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:25
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:timeout 3
                                                                                                          Imagebase:0x1020000
                                                                                                          File size:26112 bytes
                                                                                                          MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: astro-grep.exe PID: 748 Parent PID: 528

                                                                                                          General

                                                                                                          Start time:22:37:25
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Imagebase:0x770000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Reputation:low

                                                                                                          Analysis Process: astro-grep.exe PID: 2792 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:29
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\astro-grep.exe'
                                                                                                          Imagebase:0x430000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >