zgrat | c93d0c374e09947472526fbe936ae4c0cba10b2f1258fe58bcc8208340399171

Analysis

max time kernel
121s
max time network
165s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adguardInstaller.exe
Size

142KB
MD5

d8cd51480ecf511782081069a7104294
SHA1

f3f8be244db69cbfdb064c59a5c43cf6df853edb
SHA256

c93d0c374e09947472526fbe936ae4c0cba10b2f1258fe58bcc8208340399171
SHA512

d06a5bd9e100b2cabae83306e12b882ff2389540aae3693a1fb3e1dd9292eeca5f394c3891df660d31be77af4eabd4a771c2f30891a4cf47b3f64a952161ebc1
SSDEEP

3072:T4qZHnMyBV3vuhLFvGyfmKvK9MkBr/8wpn:T4qZHdV3vKvK9MkhPpn

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x0004000000005b7a-186.dat	family_zgrat_v1
behavioral1/files/0x0004000000005b7a-187.dat	family_zgrat_v1
behavioral1/memory/1284-189-0x0000000006050000-0x0000000006254000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2228	setup.exe
1284	setup.exe

Loads dropped DLL 19 IoCs

pid	Process
1968	adguardInstaller.exe
2228	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe
1284	setup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	adguardInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	adguardInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	adguardInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 1968 wrote to memory of 2228	1968	adguardInstaller.exe	29
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30
PID 2228 wrote to memory of 1284	2228	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\adguardInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\adguardInstaller.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe AID=18675_page_es_welcome
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\Temp\{8CA038DD-7BC1-4EFD-8B34-498E98BEB133}\.cr\setup.exe
    "C:\Windows\Temp\{8CA038DD-7BC1-4EFD-8B34-498E98BEB133}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=284 -burn.filehandle.self=292 AID=18675_page_es_welcome
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17745d77035ae245d6f808d53e45c6ea

SHA1
e6efa7a0699e0970f1c43516c8bb21a479e2bda4

SHA256
ba41a54fa134508be025f2dd0180fe8e2abdd82c3b249b24728d3a8ac58f78fa

SHA512
8ad218a90bda9c66874e1a4c731b210804de695dc613f23449e8d0244b0fc52adda60ffc0bec279cc6390742186c3a779484794bd765615fc5dd3938f426cdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E17.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7EB6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
34.9MB

MD5
f6c033d77be4ad6fa0610727e1056dd1

SHA1
5bbe6d4f8a15eb34e2c8ded75ea7d379e9333ed2

SHA256
51ea9b79789de4d6f53e2c53c196e5003a11d8942f90ea6816ce994e8e54a6fa

SHA512
45cd8f3b38e5065a0ddc9677d8fa2ef45bafd55ebf2a6e08d61bfcb5bf7cad0fb281f486500d84f1d254aa33a640b23de9e86ee72828699004a599ee2524d251

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
34.9MB

MD5
f6c033d77be4ad6fa0610727e1056dd1

SHA1
5bbe6d4f8a15eb34e2c8ded75ea7d379e9333ed2

SHA256
51ea9b79789de4d6f53e2c53c196e5003a11d8942f90ea6816ce994e8e54a6fa

SHA512
45cd8f3b38e5065a0ddc9677d8fa2ef45bafd55ebf2a6e08d61bfcb5bf7cad0fb281f486500d84f1d254aa33a640b23de9e86ee72828699004a599ee2524d251

Download Submit
C:\Windows\Temp\{8CA038DD-7BC1-4EFD-8B34-498E98BEB133}\.cr\setup.exe

Filesize
2.8MB

MD5
9139cb178f9fc4930597bf4464678a01

SHA1
307adf537e166118495bfc75e560e03fda3864ef

SHA256
947644da599a10679d0e39532e9361a2b2a24e51adec87ca222cbd79b530d55a

SHA512
f301d1bde17522af7da3305f236d94ff1a053d64e9ac807f2049f8ca6a83ee27869a097b2fe33710c9782a5ff983645ab54c380b1a6a46c4a0827e339d2a1893

Download Submit
C:\Windows\Temp\{8CA038DD-7BC1-4EFD-8B34-498E98BEB133}\.cr\setup.exe

Filesize
2.8MB

MD5
9139cb178f9fc4930597bf4464678a01

SHA1
307adf537e166118495bfc75e560e03fda3864ef

SHA256
947644da599a10679d0e39532e9361a2b2a24e51adec87ca222cbd79b530d55a

SHA512
f301d1bde17522af7da3305f236d94ff1a053d64e9ac807f2049f8ca6a83ee27869a097b2fe33710c9782a5ff983645ab54c380b1a6a46c4a0827e339d2a1893

Download Submit
C:\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
898c2a320bea0580f37beeccda8f2378

SHA1
eccab214a148e6a7a9535bf1c83b714c756dabf2

SHA256
4440270efc95c694150a665b62ca89b8b93b1271dfb2757e8dd1a68ef2705498

SHA512
e4608aab984c6e97b00e80d2635a283392f1eb24bdb65f5fce92851eb63ad474e5050ac46e5cafe2dbd438dd026269253bd4ec427f08b2a09788d6b1d49bcc84

Download Submit
\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
34.9MB

MD5
f6c033d77be4ad6fa0610727e1056dd1

SHA1
5bbe6d4f8a15eb34e2c8ded75ea7d379e9333ed2

SHA256
51ea9b79789de4d6f53e2c53c196e5003a11d8942f90ea6816ce994e8e54a6fa

SHA512
45cd8f3b38e5065a0ddc9677d8fa2ef45bafd55ebf2a6e08d61bfcb5bf7cad0fb281f486500d84f1d254aa33a640b23de9e86ee72828699004a599ee2524d251

Download Submit
\Windows\Temp\{8CA038DD-7BC1-4EFD-8B34-498E98BEB133}\.cr\setup.exe

Filesize
2.8MB

MD5
9139cb178f9fc4930597bf4464678a01

SHA1
307adf537e166118495bfc75e560e03fda3864ef

SHA256
947644da599a10679d0e39532e9361a2b2a24e51adec87ca222cbd79b530d55a

SHA512
f301d1bde17522af7da3305f236d94ff1a053d64e9ac807f2049f8ca6a83ee27869a097b2fe33710c9782a5ff983645ab54c380b1a6a46c4a0827e339d2a1893

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.UI.dll

Filesize
566KB

MD5
4c65d91bf72cf4cc0b72df60b3870434

SHA1
9f757d57ddfcd695915a32e235a0d72d01431196

SHA256
c94fe6b07c638cce3e17ac191987af6b9c3af81bcf772a39912be34241b34f4f

SHA512
fa48bbc4648776c8c49a74b259940b7b54ce6eed0f0e7ea9a2d0c7d427230f58d89c9949934bc76177bb8e70194060656c0f590119f54ead3137214401ce882b

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.UI.dll

Filesize
566KB

MD5
4c65d91bf72cf4cc0b72df60b3870434

SHA1
9f757d57ddfcd695915a32e235a0d72d01431196

SHA256
c94fe6b07c638cce3e17ac191987af6b9c3af81bcf772a39912be34241b34f4f

SHA512
fa48bbc4648776c8c49a74b259940b7b54ce6eed0f0e7ea9a2d0c7d427230f58d89c9949934bc76177bb8e70194060656c0f590119f54ead3137214401ce882b

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
5940d6d2c8ca412ace239c975735e182

SHA1
38a7c5cbd7723a1d9f06872ece668286a5784d21

SHA256
5e374bf9f71dbc331164ef1e114a163fff3821db2d49f9b4536906999084a9af

SHA512
6723c867ca925557382ad31d0d514b11dd23f0d654b2b9015126c2168148287e4c183f7965539331c2333b8ed3fdf9db849c5d27c773aeb8517e71b318f45dbd

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
5940d6d2c8ca412ace239c975735e182

SHA1
38a7c5cbd7723a1d9f06872ece668286a5784d21

SHA256
5e374bf9f71dbc331164ef1e114a163fff3821db2d49f9b4536906999084a9af

SHA512
6723c867ca925557382ad31d0d514b11dd23f0d654b2b9015126c2168148287e4c183f7965539331c2333b8ed3fdf9db849c5d27c773aeb8517e71b318f45dbd

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Adguard.Burn.dll

Filesize
277KB

MD5
72f5737e86b1e83ca13ef6f74ad6767e

SHA1
71aa708c8058901fc149b405eb776aa6079b3922

SHA256
88583fe5b3b093134d6047c134a09d9b14d03668da279a1026c188c5a150918c

SHA512
0f0ef277a417124ebf2a2ec8030160d25a36290435a59fbb238611ae8ac339ddedb0c96e0d8a367cecc97aed3ea34817df4af220a79a517e5a583bef5b515089

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Adguard.Burn.dll

Filesize
277KB

MD5
72f5737e86b1e83ca13ef6f74ad6767e

SHA1
71aa708c8058901fc149b405eb776aa6079b3922

SHA256
88583fe5b3b093134d6047c134a09d9b14d03668da279a1026c188c5a150918c

SHA512
0f0ef277a417124ebf2a2ec8030160d25a36290435a59fbb238611ae8ac339ddedb0c96e0d8a367cecc97aed3ea34817df4af220a79a517e5a583bef5b515089

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
\Windows\Temp\{E19F761F-56B2-4E21-AAD8-CA2202F07BE8}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/1284-173-0x0000000000D60000-0x0000000000D78000-memory.dmp

Filesize
96KB

Download
memory/1284-218-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-189-0x0000000006050000-0x0000000006254000-memory.dmp

Filesize
2.0MB

Download
memory/1284-196-0x0000000002880000-0x000000000289E000-memory.dmp

Filesize
120KB

Download
memory/1284-185-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/1284-181-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/1284-169-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-174-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-202-0x00000000064B0000-0x0000000006558000-memory.dmp

Filesize
672KB

Download
memory/1284-208-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-167-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1284-225-0x0000000006A80000-0x0000000006B80000-memory.dmp

Filesize
1024KB

Download
memory/1284-212-0x0000000006B80000-0x0000000006C12000-memory.dmp

Filesize
584KB

Download
memory/1284-213-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/1284-214-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/1284-217-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1284-191-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-219-0x0000000006A80000-0x0000000006B80000-memory.dmp

Filesize
1024KB

Download
memory/1284-220-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1284-221-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-222-0x0000000003450000-0x0000000003490000-memory.dmp

Filesize
256KB

Download
memory/1284-223-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/1284-224-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/1968-84-0x00000000010F0000-0x0000000001117000-memory.dmp

Filesize
156KB

Download