Windows Analysis Report ASTRO-GREP.bin

Overview

General Information

Sample Name: ASTRO-GREP.bin (renamed file extension from bin to exe)
Analysis ID: 450881
MD5: 432f0e0aab658de046d8b41d2cef8253
SHA1: 7ba5b175ffb4bb976c54177f9c40a7339a088654
SHA256: 17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb
Tags: AstroGrepAsyncRATexe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: ASTRO-GREP.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\astro-grep.exe ReversingLabs: Detection: 80%
Multi AV Scanner detection for submitted file
Source: ASTRO-GREP.exe Virustotal: Detection: 65% Perma Link
Source: ASTRO-GREP.exe ReversingLabs: Detection: 80%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ASTRO-GREP.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.astro-grep.exe.380000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.astro-grep.exe.790000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.2.astro-grep.exe.790000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.0.ASTRO-GREP.exe.e50000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.ASTRO-GREP.exe.e50000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.astro-grep.exe.380000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ASTRO-GREP.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49764 version: TLS 1.0
Source: ASTRO-GREP.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49764 version: TLS 1.0
Source: unknown DNS traffic detected: queries for: pastebin.com
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com
Source: astro-grep.exe String found in binary or memory: http://schemas.microsof
Source: ASTRO-GREP.exe, 00000001.00000002.703282881.000000000328F000.00000004.00000001.sdmp, astro-grep.exe, 0000000B.00000002.908534883.00000000026ED000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: astro-grep.exe, 0000000B.00000002.908534883.00000000026ED000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com
Source: astro-grep.exe, 0000000C.00000002.761945326.0000000002A11000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw
Source: astro-grep.exe, 0000000C.00000002.761945326.0000000002A11000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/VTByvKGM
Source: astro-grep.exe, 0000000B.00000002.908548844.00000000026F6000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com4:kt
Source: astro-grep.exe, 0000000B.00000002.908597069.000000000271F000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.comD8:k
Source: astro-grep.exe, 0000000B.00000002.908597069.000000000271F000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.comD8:kL
Source: astro-grep.exe, 0000000B.00000002.908586603.000000000271B000.00000004.00000001.sdmp, astro-grep.exe, 0000000B.00000002.908597069.000000000271F000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: astro-grep.exe, 0000000B.00000002.908562991.00000000026FF000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: ASTRO-GREP.exe, type: SAMPLE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.712642418.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.702213908.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.907735012.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.703312210.000000000329C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640492795.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.761563202.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.706815836.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: ASTRO-GREP.exe PID: 3844, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017B8148 1_2_017B8148
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017BB258 1_2_017BB258
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017B7878 1_2_017B7878
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017B7130 1_2_017B7130
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00CF8148 11_2_00CF8148
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00CF7878 11_2_00CF7878
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00CF7130 11_2_00CF7130
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00CFE628 11_2_00CFE628
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\astro-grep.exe 17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
Sample file is different than original file name gathered from version info
Source: ASTRO-GREP.exe Binary or memory string: OriginalFilename vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.707460158.00000000061C0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.706204130.0000000005FB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.703061185.00000000018F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.702213908.0000000000E52000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.707650182.00000000063E0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe, 00000001.00000002.707650182.00000000063E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ASTRO-GREP.exe
Source: ASTRO-GREP.exe Binary or memory string: OriginalFilenameStub.exe" vs ASTRO-GREP.exe
Uses 32bit PE files
Source: ASTRO-GREP.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ASTRO-GREP.exe, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: astro-grep.exe.1.dr, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 11.2.astro-grep.exe.380000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 11.0.astro-grep.exe.380000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 12.0.astro-grep.exe.790000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 12.2.astro-grep.exe.790000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.cs Base64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
Source: 11.0.astro-grep.exe.380000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.astro-grep.exe.380000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.astro-grep.exe.380000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.astro-grep.exe.380000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.astro-grep.exe.790000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.astro-grep.exe.790000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: astro-grep.exe.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: astro-grep.exe.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ASTRO-GREP.exe, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ASTRO-GREP.exe, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.astro-grep.exe.790000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.astro-grep.exe.790000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/4@1/1
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File created: C:\Users\user\AppData\Roaming\astro-grep.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_01
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File created: C:\Users\user\AppData\Local\Temp\tmp7DBD.tmp Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7DBD.tmp.bat''
Source: ASTRO-GREP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ASTRO-GREP.exe Virustotal: Detection: 65%
Source: ASTRO-GREP.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File read: C:\Users\user\Desktop\ASTRO-GREP.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ASTRO-GREP.exe 'C:\Users\user\Desktop\ASTRO-GREP.exe'
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7DBD.tmp.bat''
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7DBD.tmp.bat'' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe' Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: ASTRO-GREP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ASTRO-GREP.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ASTRO-GREP.exe, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: astro-grep.exe.1.dr, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.astro-grep.exe.380000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.astro-grep.exe.380000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.astro-grep.exe.790000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.astro-grep.exe.790000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs .Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E52A66 push 0000003Eh; retn 0000h 1_2_00E52DC0
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E54122 push eax; ret 1_2_00E5412C
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E52F81 push eax; ret 1_2_00E52F95
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E5710D push cs; iretd 1_2_00E57202
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E5711F push cs; iretd 1_2_00E57202
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_00E57399 push es; ret 1_2_00E57608
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017BE950 push FFFFFF8Bh; iretd 1_2_017BE953
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017BBE4A pushfd ; retf 1_2_017BBE49
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017BBE10 pushfd ; retf 1_2_017BBE49
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00384122 push eax; ret 11_2_0038412C
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00382A66 push 0000003Eh; retn 0000h 11_2_00382DC0
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00387526 push es; ret 11_2_00387608
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_0038711F push cs; iretd 11_2_00387202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_0038710D push cs; iretd 11_2_00387202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00382F81 push eax; ret 11_2_00382F95
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 11_2_00CFBE24 pushfd ; retf 11_2_00CFBE49
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_00794122 push eax; ret 12_2_0079412C
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_00792A66 push 0000003Eh; retn 0000h 12_2_00792DC0
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_00797399 push es; ret 12_2_00797608
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_0079711F push cs; iretd 12_2_00797202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_0079710D push cs; iretd 12_2_00797202
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Code function: 12_2_00792F81 push eax; ret 12_2_00792F95

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File created: C:\Users\user\AppData\Roaming\astro-grep.exe Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: ASTRO-GREP.exe, type: SAMPLE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.712642418.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.702213908.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.907735012.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.703312210.000000000329C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640492795.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.761563202.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.706815836.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: ASTRO-GREP.exe PID: 3844, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AsyncRAT
Source: Yara match File source: ASTRO-GREP.exe, type: SAMPLE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.712642418.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.702213908.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.907735012.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.703312210.000000000329C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640492795.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.761563202.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.706815836.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: ASTRO-GREP.exe PID: 3844, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: astro-grep.exe, ASTRO-GREP.exe Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ASTRO-GREP.exe TID: 204 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 6472 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 6424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ASTRO-GREP.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\astro-grep.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ASTRO-GREP.exe, 00000001.00000002.706204130.0000000005FB0000.00000002.00000001.sdmp, astro-grep.exe, 0000000B.00000002.910537986.00000000051E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ASTRO-GREP.exe Binary or memory string: vmware
Source: ASTRO-GREP.exe, 00000001.00000002.706204130.0000000005FB0000.00000002.00000001.sdmp, astro-grep.exe, 0000000B.00000002.910537986.00000000051E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ASTRO-GREP.exe, 00000001.00000002.706204130.0000000005FB0000.00000002.00000001.sdmp, astro-grep.exe, 0000000B.00000002.910537986.00000000051E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: astro-grep.exe, 0000000B.00000002.910101541.0000000004B20000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ASTRO-GREP.exe, 00000001.00000002.706204130.0000000005FB0000.00000002.00000001.sdmp, astro-grep.exe, 0000000B.00000002.910537986.00000000051E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Code function: 1_2_017BBC64 CheckRemoteDebuggerPresent, 1_2_017BBC64
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7DBD.tmp.bat'' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe' Jump to behavior
Source: astro-grep.exe, 0000000B.00000002.908364503.00000000010B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: astro-grep.exe, 0000000B.00000002.908364503.00000000010B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: astro-grep.exe, 0000000B.00000002.908364503.00000000010B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: astro-grep.exe, 0000000B.00000002.908364503.00000000010B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Queries volume information: C:\Users\user\Desktop\ASTRO-GREP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\astro-grep.exe Queries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASTRO-GREP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: ASTRO-GREP.exe, type: SAMPLE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.astro-grep.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ASTRO-GREP.exe.329c300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.astro-grep.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.712642418.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.702213908.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.907735012.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.703312210.000000000329C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640492795.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.761563202.0000000000792000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.706815836.0000000000382000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: astro-grep.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: ASTRO-GREP.exe PID: 3844, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450881 Sample: ASTRO-GREP.bin Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AsyncRAT 2->39 41 4 other signatures 2->41 7 ASTRO-GREP.exe 7 2->7         started        11 astro-grep.exe 15 2 2->11         started        process3 dnsIp4 29 C:\Users\user\AppData\...\astro-grep.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\...\ASTRO-GREP.exe.log, ASCII 7->31 dropped 43 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->43 14 cmd.exe 1 7->14         started        17 cmd.exe 1 7->17         started        33 pastebin.com 104.23.99.190, 443, 49764 CLOUDFLARENETUS United States 11->33 45 Antivirus detection for dropped file 11->45 47 Multi AV Scanner detection for dropped file 11->47 49 Machine Learning detection for dropped file 11->49 file5 signatures6 process7 signatures8 51 Uses schtasks.exe or at.exe to add and modify task schedules 14->51 19 conhost.exe 14->19         started        21 schtasks.exe 1 14->21         started        23 astro-grep.exe 2 17->23         started        25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.23.99.190
 pastebin.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
pastebin.com 104.23.99.190 true