zgrat | aa78d28127b7e9b4bb1fe32a5610a51dc2ee8248d5b55b7cced7e9650559ccc1

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adguardVPNInstaller.exe
Size

113KB
MD5

49a7b6cbb30da964374cdd8530a14d24
SHA1

9f24c79cc0fcc7fe6cce5a0283ba94821b4bff57
SHA256

aa78d28127b7e9b4bb1fe32a5610a51dc2ee8248d5b55b7cced7e9650559ccc1
SHA512

28aa023255265a2e8cfeb059de07e1923eae87d2aa2914af8141ec3cd7caf3cf867a8fd880ef7073fc1d8c8c14356beb88666d56f8c1a41fecbc2c89af2db185
SSDEEP

1536:o4GZnjfFGS6VW3RtfNxwxfHKMFHPGwFCVZUpbdXH+j0NJszM8wpXxR:o4GZnrASj3/HQLFvGwFCZ+XH+IX8wp3

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001980d-198.dat	family_zgrat_v1
behavioral1/files/0x000500000001980d-199.dat	family_zgrat_v1
behavioral1/memory/2008-201-0x00000000061A0000-0x000000000639C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
3048	setup.exe
2008	setup.exe

Loads dropped DLL 21 IoCs

pid	Process
2032	adguardVPNInstaller.exe
3048	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe
2008	setup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	adguardVPNInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	adguardVPNInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	adguardVPNInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardVPNInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardVPNInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	adguardVPNInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 2032 wrote to memory of 3048	2032	adguardVPNInstaller.exe	29
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30
PID 3048 wrote to memory of 2008	3048	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\adguardVPNInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\adguardVPNInstaller.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe AID=32362
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\Temp\{369DF17A-CF85-47A1-8D74-03AAB473CBCE}\.cr\setup.exe
    "C:\Windows\Temp\{369DF17A-CF85-47A1-8D74-03AAB473CBCE}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=284 -burn.filehandle.self=292 AID=32362
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d54f9740ed6fb65cbc45deed56dd6fae

SHA1
44cd7f3dffc0054007592bd9a666e3c8912f0b72

SHA256
2e277521bded0697205b1746465ea43ee3c4500afae20fbf1695418225e548b3

SHA512
b0341a92353237dd5b0c24ffffe9526ae8e087d60b244410077a9aec945c500be11270da360b8b7fe82a1d63f2fb0ae22c9c1dc6eb65c766dd2a92edfa6bbeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6CE8.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6DA6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
23.6MB

MD5
1cbfaba0adc5b9b50f623035df1e4ebc

SHA1
fecc51c27c003ca35f5c061ae238e58e37752c49

SHA256
f54bf6c36ecaa142b62fdcceadcaf198d241a0470fcfe392de228e2ae93b3000

SHA512
a41631783e500a92dfb9f4bdaf46eae9a1c61ccfb5ce5adb3c71cfbbf37c15927a4361e17702e6d6ca64babffef93d62615b48fae0adde4d14ebda42225d6704

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
23.6MB

MD5
1cbfaba0adc5b9b50f623035df1e4ebc

SHA1
fecc51c27c003ca35f5c061ae238e58e37752c49

SHA256
f54bf6c36ecaa142b62fdcceadcaf198d241a0470fcfe392de228e2ae93b3000

SHA512
a41631783e500a92dfb9f4bdaf46eae9a1c61ccfb5ce5adb3c71cfbbf37c15927a4361e17702e6d6ca64babffef93d62615b48fae0adde4d14ebda42225d6704

Download Submit
C:\Windows\Temp\{369DF17A-CF85-47A1-8D74-03AAB473CBCE}\.cr\setup.exe

Filesize
2.7MB

MD5
a9c66a0ee105d5dc5eb8a26bd66a843b

SHA1
a96a26594c872a8229813494b41284b101b341db

SHA256
1e814731b1bfc40f90b018edb9536dd5fa5da66cec207af2ef721944510dd880

SHA512
e37059eae2d91b7da2522065d612812eb7caf0a45f2f120702808f9762fe712e7616a7621a55ca1e8faed01fafb9c39351728b0081a20e2eaa9979c5dc4b60a2

Download Submit
C:\Windows\Temp\{369DF17A-CF85-47A1-8D74-03AAB473CBCE}\.cr\setup.exe

Filesize
2.7MB

MD5
a9c66a0ee105d5dc5eb8a26bd66a843b

SHA1
a96a26594c872a8229813494b41284b101b341db

SHA256
1e814731b1bfc40f90b018edb9536dd5fa5da66cec207af2ef721944510dd880

SHA512
e37059eae2d91b7da2522065d612812eb7caf0a45f2f120702808f9762fe712e7616a7621a55ca1e8faed01fafb9c39351728b0081a20e2eaa9979c5dc4b60a2

Download Submit
C:\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
427918825375ce8aa01f208629c901fa

SHA1
bb983d3b30454deb48695e495b8483195d72c927

SHA256
eee85d8d43e427f87e043f9516bc2511c891980a134eba7e2d6097438ef860e4

SHA512
1368fb726b21d96278773e37ff36b20952578c814f7e4d3ef76cc81a5b2d608f04e65c1e6328f19aa59f40dd2701d6f5afa167cde14143d385cd075a8359b4cf

Download Submit
\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
23.6MB

MD5
1cbfaba0adc5b9b50f623035df1e4ebc

SHA1
fecc51c27c003ca35f5c061ae238e58e37752c49

SHA256
f54bf6c36ecaa142b62fdcceadcaf198d241a0470fcfe392de228e2ae93b3000

SHA512
a41631783e500a92dfb9f4bdaf46eae9a1c61ccfb5ce5adb3c71cfbbf37c15927a4361e17702e6d6ca64babffef93d62615b48fae0adde4d14ebda42225d6704

Download Submit
\Windows\Temp\{369DF17A-CF85-47A1-8D74-03AAB473CBCE}\.cr\setup.exe

Filesize
2.7MB

MD5
a9c66a0ee105d5dc5eb8a26bd66a843b

SHA1
a96a26594c872a8229813494b41284b101b341db

SHA256
1e814731b1bfc40f90b018edb9536dd5fa5da66cec207af2ef721944510dd880

SHA512
e37059eae2d91b7da2522065d612812eb7caf0a45f2f120702808f9762fe712e7616a7621a55ca1e8faed01fafb9c39351728b0081a20e2eaa9979c5dc4b60a2

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.CrashReporter.dll

Filesize
580KB

MD5
2b33d4fcbd1434d119ff27d3025820ce

SHA1
55c283f673fc407b4faa20554aa1d34e5586fe8d

SHA256
c3443206a047fd95f8cf2c462540ff809301f4847a3ed25b912b9b15af730151

SHA512
16ac51d13449d7ba804bcf764346bc70f073388f1c1ade4c73b035e58ac3a999f923041770b1e3fcbb8008fed122ce6395950ed9944b5faf3cf62b5694f003f3

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.CrashReporter.dll

Filesize
580KB

MD5
2b33d4fcbd1434d119ff27d3025820ce

SHA1
55c283f673fc407b4faa20554aa1d34e5586fe8d

SHA256
c3443206a047fd95f8cf2c462540ff809301f4847a3ed25b912b9b15af730151

SHA512
16ac51d13449d7ba804bcf764346bc70f073388f1c1ade4c73b035e58ac3a999f923041770b1e3fcbb8008fed122ce6395950ed9944b5faf3cf62b5694f003f3

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.UI.dll

Filesize
556KB

MD5
6d9bb385d8eb358c45197b61f7128c49

SHA1
64f1674f1a342cc7732545c5aa8fee6aa53ae0aa

SHA256
4fa12b84af73970ecc70e221c47da9dea2858b266cf255e2f70ac2b23cc2cb49

SHA512
802ca353366acdeb025275089423d655c3919f06a9215c8244f511a39ebd4ab25bbdec7656364fb856a69dd354f613284590482f585007cbd4ce4e2e01cd4c89

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.UI.dll

Filesize
556KB

MD5
6d9bb385d8eb358c45197b61f7128c49

SHA1
64f1674f1a342cc7732545c5aa8fee6aa53ae0aa

SHA256
4fa12b84af73970ecc70e221c47da9dea2858b266cf255e2f70ac2b23cc2cb49

SHA512
802ca353366acdeb025275089423d655c3919f06a9215c8244f511a39ebd4ab25bbdec7656364fb856a69dd354f613284590482f585007cbd4ce4e2e01cd4c89

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
3172d64c6f5d4eed8b24cbf8af50afa8

SHA1
85316e8f265ca32ac8bd7f3e30e00a99c6886abe

SHA256
00a9eeb37dcad21ac9f1137afb7161cb55e03bf55833ca83859cc3fb24a20a1f

SHA512
bf70da14606227bb3cc721f35fa5f37cda4e6f9c3a32472f9bb7e82ca71a66c7bafd26605d323abc68bc9c84559ad322bb9ec1a1c67e8286c7600b548a95178c

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
3172d64c6f5d4eed8b24cbf8af50afa8

SHA1
85316e8f265ca32ac8bd7f3e30e00a99c6886abe

SHA256
00a9eeb37dcad21ac9f1137afb7161cb55e03bf55833ca83859cc3fb24a20a1f

SHA512
bf70da14606227bb3cc721f35fa5f37cda4e6f9c3a32472f9bb7e82ca71a66c7bafd26605d323abc68bc9c84559ad322bb9ec1a1c67e8286c7600b548a95178c

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuardVpn.Burn.dll

Filesize
255KB

MD5
dab0cf0d882fe9769665d94f9bf26643

SHA1
982877e18aee4605b5f8a190553c75d61dc49694

SHA256
5b9a0cf4befc9192695e00525e0d400795323793549aee69db29ce694845b587

SHA512
e9bdc93b66519e5e4fa198cb009e15413958b6ceb85b1ccf710de542af6a387c474700defb2d5ebe213eaf4fa4b4169ed3f3deb54cab192d0636f5d76d1f37ad

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\AdGuardVpn.Burn.dll

Filesize
255KB

MD5
dab0cf0d882fe9769665d94f9bf26643

SHA1
982877e18aee4605b5f8a190553c75d61dc49694

SHA256
5b9a0cf4befc9192695e00525e0d400795323793549aee69db29ce694845b587

SHA512
e9bdc93b66519e5e4fa198cb009e15413958b6ceb85b1ccf710de542af6a387c474700defb2d5ebe213eaf4fa4b4169ed3f3deb54cab192d0636f5d76d1f37ad

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
\Windows\Temp\{C569E801-629B-440D-B8A8-F85A45E2B757}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/2008-229-0x0000000006870000-0x0000000006918000-memory.dmp

Filesize
672KB

Download
memory/2008-235-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-216-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2008-248-0x0000000006ED0000-0x0000000006FD0000-memory.dmp

Filesize
1024KB

Download
memory/2008-217-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-183-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-222-0x0000000002780000-0x000000000279E000-memory.dmp

Filesize
120KB

Download
memory/2008-189-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-206-0x00000000059E0000-0x0000000005A74000-memory.dmp

Filesize
592KB

Download
memory/2008-197-0x00000000026C0000-0x0000000002706000-memory.dmp

Filesize
280KB

Download
memory/2008-188-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/2008-190-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-201-0x00000000061A0000-0x000000000639C000-memory.dmp

Filesize
2.0MB

Download
memory/2008-210-0x0000000005630000-0x00000000056BE000-memory.dmp

Filesize
568KB

Download
memory/2008-237-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/2008-236-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/2008-238-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-239-0x0000000006ED0000-0x0000000006FD0000-memory.dmp

Filesize
1024KB

Download
memory/2008-240-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-241-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2008-242-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-243-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-244-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-245-0x00000000056C0000-0x0000000005700000-memory.dmp

Filesize
256KB

Download
memory/2008-246-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/2008-247-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/2032-81-0x00000000009F0000-0x0000000000A10000-memory.dmp

Filesize
128KB

Download