asyncrat | 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7v20210408
submitted
17-07-2021 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

astro-grep-setup.exe.doc
Size

1.4MB
MD5

9c3d3679ea84ff9bf67bf8c7aa2afc48
SHA1

0470d616e8918ef03098741bf7fb0b313bb8aaea
SHA256

2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
SHA512

6896ad9abbbaa7760825d40086270f649a82a1291798173764e20deb7a5ef7a2f4070e247f27210f77341d70b6ed7215fa72a1711210610b428fcce39006af53

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

Mutex_6SI8OkPnk

Attributes

aes_key
ZgOTIhSVzSTSosv4ITYrzailHXWOHyEM
anti_detection
true
autorun
true
bdos
false
delay
SWARM-SHOP
host
null
hwid
20
install_file
install_folder
%AppData%
mutex
Mutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/VTByvKGM
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
\ProgramData\Memsys\ms.exe	asyncrat
\ProgramData\Memsys\ms.exe	asyncrat
C:\ProgramData\Memsys\ms.exe	asyncrat
\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat

Executes dropped EXE 4 IoCs

Processes:

ms.exeASTRO-GREP.EXEASTROGREP_SETUP_V4.4.7.EXEastro-grep.exe

pid process

344 ms.exe
1684 ASTRO-GREP.EXE
1580 ASTROGREP_SETUP_V4.4.7.EXE
1016 astro-grep.exe

pid	process
344	ms.exe
1684	ASTRO-GREP.EXE
1580	ASTROGREP_SETUP_V4.4.7.EXE
1016	astro-grep.exe

Loads dropped DLL 8 IoCs

Processes:

WINWORD.EXEms.exeASTROGREP_SETUP_V4.4.7.EXEcmd.exe

pid	process
788	WINWORD.EXE
788	WINWORD.EXE
344	ms.exe
344	ms.exe
1580	ASTROGREP_SETUP_V4.4.7.EXE
1580	ASTROGREP_SETUP_V4.4.7.EXE
1580	ASTROGREP_SETUP_V4.4.7.EXE
1676	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NSIS installer 9 IoCs

installer

Processes:

resource	yara_rule
\ProgramData\Memsys\ms.exe	nsis_installer_2
\ProgramData\Memsys\ms.exe	nsis_installer_2
C:\ProgramData\Memsys\ms.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1544 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

436 timeout.exe

pid	process
1544	schtasks.exe

pid	process
436	timeout.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

788 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ASTRO-GREP.EXE

pid process

1684 ASTRO-GREP.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ASTROGREP_SETUP_V4.4.7.EXE

pid process

1580 ASTROGREP_SETUP_V4.4.7.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ASTRO-GREP.EXEastro-grep.exe

description pid process

Token: SeDebugPrivilege 1684 ASTRO-GREP.EXE
Token: SeDebugPrivilege 1016 astro-grep.exe

pid	process
1684	ASTRO-GREP.EXE

pid	process
1580	ASTROGREP_SETUP_V4.4.7.EXE

description	pid	process
Token: SeDebugPrivilege	1684	ASTRO-GREP.EXE
Token: SeDebugPrivilege	1016	astro-grep.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

WINWORD.EXEms.exeASTRO-GREP.EXEcmd.execmd.exe

description	pid	process	target process
PID 788 wrote to memory of 344	788	WINWORD.EXE	ms.exe
PID 788 wrote to memory of 344	788	WINWORD.EXE	ms.exe
PID 788 wrote to memory of 344	788	WINWORD.EXE	ms.exe
PID 788 wrote to memory of 344	788	WINWORD.EXE	ms.exe
PID 344 wrote to memory of 1684	344	ms.exe	ASTRO-GREP.EXE
PID 344 wrote to memory of 1684	344	ms.exe	ASTRO-GREP.EXE
PID 344 wrote to memory of 1684	344	ms.exe	ASTRO-GREP.EXE
PID 344 wrote to memory of 1684	344	ms.exe	ASTRO-GREP.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 344 wrote to memory of 1580	344	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 788 wrote to memory of 1916	788	WINWORD.EXE	splwow64.exe
PID 788 wrote to memory of 1916	788	WINWORD.EXE	splwow64.exe
PID 788 wrote to memory of 1916	788	WINWORD.EXE	splwow64.exe
PID 788 wrote to memory of 1916	788	WINWORD.EXE	splwow64.exe
PID 1684 wrote to memory of 628	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 628	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 628	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 628	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 1676	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 1676	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 1676	1684	ASTRO-GREP.EXE	cmd.exe
PID 1684 wrote to memory of 1676	1684	ASTRO-GREP.EXE	cmd.exe
PID 628 wrote to memory of 1544	628	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1544	628	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1544	628	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1544	628	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 436	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 436	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 436	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 436	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 1016	1676	cmd.exe	astro-grep.exe
PID 1676 wrote to memory of 1016	1676	cmd.exe	astro-grep.exe
PID 1676 wrote to memory of 1016	1676	cmd.exe	astro-grep.exe
PID 1676 wrote to memory of 1016	1676	cmd.exe	astro-grep.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\astro-grep-setup.exe.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\ProgramData\Memsys\ms.exe
C:\ProgramData\Memsys\ms.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"'
5⤵
- Creates scheduled task(s)
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB37.tmp.bat""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:436

C:\Users\Admin\AppData\Roaming\astro-grep.exe
"C:\Users\Admin\AppData\Roaming\astro-grep.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1580

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Memsys\ms.exe
MD5
dbbb611daf3abd47972ae4faf5d54c95

SHA1
1b33772f2acc9e6673a2922587b00db86f5fba01

SHA256
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

SHA512
140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB37.tmp.bat
MD5
4500e6a7c8ff6a28c77e345dcc564e98

SHA1
a4821e2be1b016adac80a654fbd04c9c116b1c70

SHA256
43bbe857c1a3829250a8adb0412552b35aee9890afcc8ce075aa55ed53313391

SHA512
b540cd24bc8efaffca5732be53b6bea175c4eeb067a2fd7a3da113e93a5fed0480ddf8947fb0460844f3efba30059472f95acc703eb62e1d9500d0da446efab5

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\ProgramData\Memsys\ms.exe
MD5
dbbb611daf3abd47972ae4faf5d54c95

SHA1
1b33772f2acc9e6673a2922587b00db86f5fba01

SHA256
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

SHA512
140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Download Submit
\ProgramData\Memsys\ms.exe
MD5
dbbb611daf3abd47972ae4faf5d54c95

SHA1
1b33772f2acc9e6673a2922587b00db86f5fba01

SHA256
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

SHA512
140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Download Submit
\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
\Users\Admin\AppData\Local\Temp\nsiA5A3.tmp\LangDLL.dll
MD5
91d5e21907e4baff0145339311abf9d9

SHA1
f867d8529d4f3704cd4f475b46699b66cb6c2002

SHA256
acde373cc4916be5df3d239ab67f5980c333e979f34965ee733e7c6259586e9b

SHA512
339e35b89f2ac7d2fbe9dfd9a55279d20463f7c298332810c0ebaa5de95e09657f4b2837904ae16a8743c4c7abf7f3c7581099bc94312c178a21783288790401

Download Submit
\Users\Admin\AppData\Local\Temp\nsiA5A3.tmp\System.dll
MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiA5A3.tmp\nsDialogs.dll
MD5
70d4c5f9acc5ddf934b73fa311ade7d8

SHA1
6962e84782b0e1fe798cdce1d7447211228ca85b

SHA256
02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee

SHA512
40189b463173cbbad9c5101f37b4a37d970e9cd8e6f3d343cb8e54c54bdc7fdc3cfa8d7d7e7b7b0241c68768607c523be2c2c21b7efc727257731e1c5d1673fc

Download Submit
\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
memory/344-66-0x0000000000000000-mapping.dmp

Download
memory/436-91-0x0000000000000000-mapping.dmp

Download
memory/628-87-0x0000000000000000-mapping.dmp

Download
memory/788-60-0x0000000072391000-0x0000000072394000-memory.dmp

Filesize
12KB

Download
memory/788-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/788-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/788-61-0x000000006FE11000-0x000000006FE13000-memory.dmp

Filesize
8KB

Download
memory/1016-99-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1016-94-0x0000000000000000-mapping.dmp

Download
memory/1016-96-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1544-89-0x0000000000000000-mapping.dmp

Download
memory/1580-74-0x0000000000000000-mapping.dmp

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1684-86-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1684-70-0x0000000000000000-mapping.dmp

Download
memory/1684-79-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-84-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1916-83-0x0000000000000000-mapping.dmp

Download