blackguard | d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExtrimHackCS2.exe
Size

72.8MB
MD5

314b9dee510eca2dfa045520739e6734
SHA1

853a1bd7edc947f437e67aabbd93f748d90e3975
SHA256

d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a
SHA512

1fc4fcdc7cd3b26846ca7b641f0278a953313ec02f2053e704f32aff392ebf9c4d766aa5946f84f313012365959b2e4f158874f1d95104e6aaae927ed7e5984f
SSDEEP

1572864:W6GSXPyRXckWqTaYh9iSZoX5si4I38THE0CYYOiPxR19jiw:hXPydnjTa+eGi4pTHEhYY1pnl

Score

10^/10

blackguard discovery spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	ExtrimHackCS2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	VegaStealer_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	extrimhack_cs2_cheats_free_29.01.2025.exe

Executes dropped EXE 5 IoCs

pid	Process
4968	VegaStealer_v2.exe
4928	v2.exe
468	extrimhack_cs2_cheats_free_29.01.2025.exe
1708	new-installer.exe
2568	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
4928	v2.exe
4928	v2.exe
4928	v2.exe
4928	v2.exe
4928	v2.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	freegeoip.app
17	freegeoip.app
22	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtrimHackCS2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4928	v2.exe
4928	v2.exe
4928	v2.exe
4928	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	v2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	new-installer.exe
2568	javaw.exe
2568	javaw.exe
2568	javaw.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4968	2396	ExtrimHackCS2.exe	86
PID 2396 wrote to memory of 4968	2396	ExtrimHackCS2.exe	86
PID 2396 wrote to memory of 4968	2396	ExtrimHackCS2.exe	86
PID 4968 wrote to memory of 4928	4968	VegaStealer_v2.exe	87
PID 4968 wrote to memory of 4928	4968	VegaStealer_v2.exe	87
PID 4968 wrote to memory of 4928	4968	VegaStealer_v2.exe	87
PID 2396 wrote to memory of 468	2396	ExtrimHackCS2.exe	88
PID 2396 wrote to memory of 468	2396	ExtrimHackCS2.exe	88
PID 468 wrote to memory of 1708	468	extrimhack_cs2_cheats_free_29.01.2025.exe	90
PID 468 wrote to memory of 1708	468	extrimhack_cs2_cheats_free_29.01.2025.exe	90
PID 468 wrote to memory of 1708	468	extrimhack_cs2_cheats_free_29.01.2025.exe	90
PID 1708 wrote to memory of 2568	1708	new-installer.exe	92
PID 1708 wrote to memory of 2568	1708	new-installer.exe	92
PID 2568 wrote to memory of 876	2568	javaw.exe	93
PID 2568 wrote to memory of 876	2568	javaw.exe	93
PID 876 wrote to memory of 2232	876	cmd.exe	95
PID 876 wrote to memory of 2232	876	cmd.exe	95
PID 876 wrote to memory of 1876	876	cmd.exe	96
PID 876 wrote to memory of 1876	876	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\ExtrimHackCS2.exe
"C:\Users\Admin\AppData\Local\Temp\ExtrimHackCS2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\extrimhack_cs2_cheats_free_29.01.2025.exe
  "C:\Users\Admin\AppData\Local\Temp\extrimhack_cs2_cheats_free_29.01.2025.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api-1.7.25.jar;lib\slf4j-simple-1.7.25.jar;lib\x-jna-4.5.0.jar;lib\x-jphp-dffi-ext-1.0.1.jar;lib\zt-zip-1.11.jar" org.develnext.jphp.ext.javafx.FXLauncher
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\System32\chcp.com
        
        C:\Windows\System32\chcp.com 65001
        6⤵
        
        PID:2232
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop"
        6⤵
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\java.dll

Filesize
160KB

MD5
b9336d1fedf548d339a9490cdb933823

SHA1
63c46293db0c6dc7427630cd8acbdda95c88e250

SHA256
41358057a6f8913a8d6797644aa9cd9c7fc1bc868d3f389e981483d6b0a4f0be

SHA512
3d0e8a3363e7cae13865afca0459aa354703d5ad00dc0784fde049c642ce66aa223b3ed171bacc0d976a182097afae819540e85d56e531a8f4ffb61f13b30c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe

Filesize
270KB

MD5
3c23493afc5edd1538965bedcf4f38e5

SHA1
e553b76d5f297840c0fefced28da4f475de633b4

SHA256
8bc3fd611a20e009844af01fcff3c7babcd6743fdac1c475b49c65a020799a48

SHA512
c3e5e51477163097e0536a9524b8231a907cd9b5f2e3b60d7c40775146fba377795d193074baef88c356da5648395ecfefc7940de0588b1e663b96244593efc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\net.dll

Filesize
100KB

MD5
fc7e4bd8ddbcfebec4e1ec9b44f863c0

SHA1
0e84390396ca738fb4b24366dda9b8ce6ed65ca8

SHA256
bd6f097d1ee2850ba78d219711ba2a79175999693828399c30905ea632a96d17

SHA512
6a3618dc85b4fb62dea7639b3c067b62c0eaedd28c80f351165c8d0d2debceac7b5eb37bb36330a59241a52010a48787fc672d31fa8998a3460f76b4fcfa28eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\nio.dll

Filesize
63KB

MD5
251570d12dcaba9e8a8dd76d8be55157

SHA1
5372353db99ddf7639117b4ec3a5e67fbdb9abaa

SHA256
879fe280412feadd6e46a915bccec062f03b66f6f3a17adf7eb8906da851ea1c

SHA512
3397674130a01af58c79cb632c1f8599b77d5b878d9cc4e6f9d06fc410286b3eb3e52b99aefaa602e4ff5f8558687e8acc428ce413b40cda5b679e8cdc0b5ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\server\jvm.dll

Filesize
8.2MB

MD5
7327b0aa50b6b435c3d50297a0bb70cb

SHA1
4fab443e9523df32b8bc9433a3222d6b3f0fcd5b

SHA256
adabdb763832872ac27ddb5eaab09208b36a90a1968c91543212f20e9e6bf9ea

SHA512
42b45d232ee1034481657b9d8c1d9818e4f51f373b8c56ada68095f009ee202a3e5e19a46df78b37e1e9e92910d6972c990bae3d9fa6ee2f54e6047494538cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\verify.dll

Filesize
51KB

MD5
e76361f5ee3c06ce3038fbe0577c879f

SHA1
3a6b461a0a923cf5b02474b3289b9f512ad7808b

SHA256
ae9a18effa75ab1db27d04bc8dde22549e7bccb1b19e93680ee86ebb680ee229

SHA512
8bc5078b6e1a02fa45a29de8fde9f407cc9336984ed51145bf04667606b9141bb8aeda0b7db960fdcfd16fee0d4d426921a8773d4f3cf728270728186dc9ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\zip.dll

Filesize
82KB

MD5
91d8a1a6661ec19c37dc0f5f569d75e9

SHA1
65644f274be4dbfb7f728a849d5088e5be657962

SHA256
8a4ec586ddeae311587b1e4c67612d6ef1f70dd450bc0d0295f62586ff2b8034

SHA512
5cb065cf030b4e78758e75d525f0e0761742ee4efd7e30dc65a7df5b8bf0a81122469545da587a3a1599b44ba74d7cd75262c48188d6a713266911c065de27df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\charsets.jar

Filesize
2.9MB

MD5
ad22e8c7b02f5a7dfdf8eb4010220a6d

SHA1
f248e9199dd9016a9fe445a976761a2dac8d2df8

SHA256
28b577e26280649eafcd90bd0c6c68c940e3c2efe21cdafb772d2e4646c08d3e

SHA512
1f91e0c433fb6512787508d15ce0ae80fc0159a799fa4323aed4b634499f8f393dc7a1d4e3340f5500cb81524ec277aa3ec6ade8fb51c81ad0423fcf619ecd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\currency.data

Filesize
4KB

MD5
efc058cb4b31621b39ff9470a29232ab

SHA1
91f5f2e2e117d29480a678096ec6376dce412ed1

SHA256
6b3718a03de4e4938fa0c0f1cc9c574056918478402c36ad82327afc620da740

SHA512
6d8526b862d0d57be9d4238e55112871671eb87d365ad6bb383bef30bf63048bbf1afb1d83159d53c10f1b83ea632db7046c33afbb0004b7f3b1807bfd1690e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\ext\jfxrt.jar

Filesize
17.4MB

MD5
f591d5d6f921b291d5956db8d479dbae

SHA1
f0d06e2dbf6220110b2e376afa7735348854d9f3

SHA256
349a38e66862a0c848b0f22cd44ee966192ecf333cf9d9afec1ad3152f4ba9be

SHA512
fb4f2963c39488bb7235c5d13aca82557970f2e28f9d138c1a9222e3af6bd0f2f0af776e770ae6f37b264e27fa72d7c73cc4f618461d5426cc4a40a78f9fd007

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\ext\meta-index

Filesize
1KB

MD5
005faac2118450bfcd46ae414da5f0e5

SHA1
9f5c887e0505e1bb06bd1fc7975a3219709d061d

SHA256
f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8

SHA512
8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\jce.jar

Filesize
117KB

MD5
781dc309ae8df17c7b14dac228bd6e5f

SHA1
aeedfb043d8c8a735c2c23a32985e68717148c9d

SHA256
6696d67667cec11385a10b1aecfb5e9c799e3cabb0e435a073487a9e688cc70f

SHA512
23f8e4154e2745b85cdef8b8a9824dd0919c0fd11178ee8dc85cef728dccd4ec705961e7ac3c2fdea8ba8a67846b37aa623b613da634344b7b2c0aacffbb980c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\jfr.jar

Filesize
559KB

MD5
3ed4a78c647164251f593d1b8a5d6b43

SHA1
8787b2ddb88c1e4a67c1c1b0d8aa645eac83d6af

SHA256
c544a7ff5fb69590d90bbfcb4fcb658a6535632e36999091f72e162845110541

SHA512
03f49b72520f702a55f04daaa48ccc19cb5b8f689f937d454232d25dacdb8eda98703191587a8541138c7f41e21a6dc62af0138279abd34918daef53e6169af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\jsse.jar

Filesize
1.7MB

MD5
621e41891542e5544e422e2250c04faf

SHA1
a88bce011770fe69eb6430c9660aec349f7d964a

SHA256
042677aa071e84b3b8b31357d5feccecce78b00101d6f90c48de9e02ebc50e7e

SHA512
222d4ab8b4c70229eb464fae5ccc1d5ad49d085ae95585a58ead59794b6b3e8b9f0146258780ca5084c1c1749947a19470975d5624b20a7e3956c6093f620913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\resources.jar

Filesize
3.4MB

MD5
0bc0b16003c097b6b8cd929eb82d3e37

SHA1
231003dba2276c4f9a9b7d1b58571f1aa2b4ea46

SHA256
17f3cc189c99b9d64607edbba49afe0635d36d3c1b22af8669a5e9c6ca2bce6c

SHA512
6fb3df202569a7ca08f749ef1c7f2f24d1882d1d480834d67c6c4bb9e40a647213008440844383819bf4d959757690014e85782c68da925f8e483d85b5dde21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\security\java.security

Filesize
55KB

MD5
9b2547a905c3140b80405617f810b96e

SHA1
76651a6ee0bc610eefd0c160543915a9e285e9b2

SHA256
9297035c8b63d93f6dc19ecd3ff22f0397a8f371d468b683b598692107f61a8f

SHA512
45e4b7d6a2aa9337f9d6612d6627dbf4159ce40b9998e511d237c2e3d4f1056f06088031d4e45ab36c6c6a1167f05d831f1817624d49b8222033e6222cb1e825

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\asm-all.jar

Filesize
241KB

MD5
f5ad16c7f0338b541978b0430d51dc83

SHA1
2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a

SHA256
7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d

SHA512
82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\dn-compiled-module.jar

Filesize
1.7MB

MD5
2ccc9445b6924a5175708e6cbf227b25

SHA1
b740d41933ad92cadddc4e4bf6703a85886fe0cb

SHA256
75c9118523b0a0a94aa469298175d930e484dabad98ce1321c003729724742b7

SHA512
5ffbdc45050ee2ca2ef0d958b29750039ddd5e85e9c250eb00e574237ebb634a57e04cdc23d60be8228ac81b4a0becdb26baec578410bf845b76d4060286f435

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\dn-php-sdk.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\gson.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-app-framework.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-core.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-desktop-ext.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-gui-ext.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-json-ext.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-runtime.jar

Filesize
1.1MB

MD5
d5ef47c915bef65a63d364f5cf7cd467

SHA1
f711f3846e144dddbfb31597c0c165ba8adf8d6b

SHA256
9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6

SHA512
04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-xml-ext.jar

Filesize
19KB

MD5
0a79304556a1289aa9e6213f574f3b08

SHA1
7ee3bde3b1777bf65d4f62ce33295556223a26cd

SHA256
434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79

SHA512
1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-zend-ext.jar

Filesize
95KB

MD5
4bc2aea7281e27bc91566377d0ed1897

SHA1
d02d897e8a8aca58e3635c009a16d595a5649d44

SHA256
4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288

SHA512
da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\jphp-zip-ext.jar

Filesize
11KB

MD5
047623462d2b4eb7e89a32edb5341c33

SHA1
c13ac4521338eaa61f47aa8f96839bf3a02ce4aa

SHA256
c66b8b347df4ae83f5c0eff8cb0ace247fc5f5d8458a85ee0060542d225d54db

SHA512
d8e029cd2588e8c550e5dea2b81a6b709cdf418aa653c158492182b4224bf9a4616b46e68074cdedbbb93d316e8041babb31e872e48d37e351a8933433d36eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\slf4j-api-1.7.25.jar

Filesize
40KB

MD5
caafe376afb7086dcbee79f780394ca3

SHA1
da76ca59f6a57ee3102f8f9bd9cee742973efa8a

SHA256
18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79

SHA512
5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\slf4j-simple-1.7.25.jar

Filesize
14KB

MD5
722bb90689aecc523e3fe317e1f0984b

SHA1
8dacf9514f0c707cbbcdd6fd699e8940d42fb54e

SHA256
0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874

SHA512
d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\x-jna-4.5.0.jar

Filesize
1.4MB

MD5
ac50a8197824a5926256534ae44d983d

SHA1
55b548d3195efc5280bf1c3f17b49659c54dee40

SHA256
617a8d75f66a57296255a13654a99f10f72f0964336e352211247ed046da3e94

SHA512
7156f31404cd86ee9ac2da0e47079c6e0f252c75f52b1a83412190180354e637bd33df4ccd66de536f4420526e9f543bc264d086d9b1875cdbf2777b5042477d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\x-jphp-dffi-ext-1.0.1.jar

Filesize
18KB

MD5
ee605d5fa2ab76d0a05c894fa364e435

SHA1
02f49ae98acb7827b441346b209364f2c6738e34

SHA256
f1456b6f08b9038a8be674e352a8435743d67fb4de3ab0db9ac62f72ac39c87e

SHA512
2dc4c3d496ac99a763ec568554c81a6248c49d24abd7b141b359e97aa6a0b5a183471e76b730da980d6f78f2171392dc6df60e0449b5332e2a66c7e25c2fc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lib\zt-zip-1.11.jar

Filesize
102KB

MD5
0fd8bc4f0f2e37feb1efc474d037af55

SHA1
add8fface4c1936787eb4bffe4ea944a13467d53

SHA256
1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b

SHA512
29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe

Filesize
120KB

MD5
ff274d05ae80631b31920d0ea1e4417d

SHA1
14f79aba7b5afb20018d3459f75ea349e8be1b6f

SHA256
aa7ffd9bad8fa189805ff1b3940de85d33cea46b3a40942610e59a8ce33f8961

SHA512
0bd31644bc0c36db6cb6e4fedd3a20baddfbf25d0e7515654d090c05c1c527335af20ec8f8d0574ae6b261f8ab287af3dbd0de875af15688c5c4e462bedd0ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
7.7MB

MD5
9f4f298bcf1d208bd3ce3907cfb28480

SHA1
05c1cfde951306f8c6e9d484d3d88698c4419c62

SHA256
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

SHA512
4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
3f62213d184b639a0a62bcb1e65370a8

SHA1
bbf50b3c683550684cdb345d348e98fbe2fcafe0

SHA256
c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

SHA512
0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

Download Submit
C:\Users\Admin\AppData\Roaming\wJXwHJHVPPLZJPwHFTZwBRWCNDMR.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\wJXwHJHVPPLZJPwHFTZwBRWCNDMR.Admin\Process.txt

Filesize
1KB

MD5
36d9348b40792aab03a4ac83178868fc

SHA1
0ae81ad9871679b1cc9a9d78ed1d3a6efe3cc3f0

SHA256
367d4ee91f409249014cb92826ba2034b6ed85e5b9353a62a157c117143e5017

SHA512
9af9b70a67990e066943f7546365596cf8a0e19f9ed68dde7c3c762b33e39f104d8851a9a04d636e3f05fbaeae019a448fb5b0c96814e3fd65abd1090dbb6c53

Download Submit
memory/1708-820-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2396-99-0x0000000000400000-0x0000000004CCD000-memory.dmp

Filesize
72.8MB

Download
memory/2568-1038-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/2568-1153-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1166-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-864-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/2568-1164-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1162-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1160-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1159-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1157-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-921-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/2568-1150-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1149-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1152-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-884-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/2568-1151-0x0000023262930000-0x0000023263930000-memory.dmp

Filesize
16.0MB

Download
memory/2568-1077-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/2568-939-0x0000023261080000-0x0000023261081000-memory.dmp

Filesize
4KB

Download
memory/4928-97-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/4928-365-0x0000000007810000-0x0000000007886000-memory.dmp

Filesize
472KB

Download
memory/4928-434-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/4928-43-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/4928-50-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/4928-364-0x0000000007450000-0x00000000074B6000-memory.dmp

Filesize
408KB

Download
memory/4928-277-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/4928-273-0x0000000007520000-0x00000000076E2000-memory.dmp

Filesize
1.8MB

Download
memory/4928-212-0x0000000006590000-0x00000000065CC000-memory.dmp

Filesize
240KB

Download
memory/4928-165-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/4928-98-0x0000000005400000-0x0000000005450000-memory.dmp

Filesize
320KB

Download
memory/4928-100-0x0000000005E40000-0x0000000005E62000-memory.dmp

Filesize
136KB

Download
memory/4928-105-0x0000000006120000-0x0000000006188000-memory.dmp

Filesize
416KB

Download
memory/4928-221-0x0000000006530000-0x0000000006551000-memory.dmp

Filesize
132KB

Download
memory/4928-142-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download