blackguard | d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
Size

72.8MB
MD5

314b9dee510eca2dfa045520739e6734
SHA1

853a1bd7edc947f437e67aabbd93f748d90e3975
SHA256

d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a
SHA512

1fc4fcdc7cd3b26846ca7b641f0278a953313ec02f2053e704f32aff392ebf9c4d766aa5946f84f313012365959b2e4f158874f1d95104e6aaae927ed7e5984f
SSDEEP

1572864:W6GSXPyRXckWqTaYh9iSZoX5si4I38THE0CYYOiPxR19jiw:hXPydnjTa+eGi4pTHEhYY1pnl

Score

10^/10

blackguard discovery spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Executes dropped EXE 6 IoCs

pid	Process
2284	VegaStealer_v2.exe
2796	v2.exe
2684	extrimhack_cs2_cheats_free_29.01.2025.exe
2032	new-installer.exe
1056	javaw.exe
1208	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
2284	VegaStealer_v2.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe
2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe
2032	new-installer.exe
2032	new-installer.exe
2032	new-installer.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe
1056	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1368	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
8	ip-api.com
4	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new-installer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2796	v2.exe
2796	v2.exe
2796	v2.exe
2796	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	v2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1056	javaw.exe
1056	javaw.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2284	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	31
PID 2420 wrote to memory of 2284	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	31
PID 2420 wrote to memory of 2284	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	31
PID 2420 wrote to memory of 2284	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	31
PID 2284 wrote to memory of 2796	2284	VegaStealer_v2.exe	32
PID 2284 wrote to memory of 2796	2284	VegaStealer_v2.exe	32
PID 2284 wrote to memory of 2796	2284	VegaStealer_v2.exe	32
PID 2284 wrote to memory of 2796	2284	VegaStealer_v2.exe	32
PID 2420 wrote to memory of 2684	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	33
PID 2420 wrote to memory of 2684	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	33
PID 2420 wrote to memory of 2684	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	33
PID 2420 wrote to memory of 2684	2420	d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe	33
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2684 wrote to memory of 2032	2684	extrimhack_cs2_cheats_free_29.01.2025.exe	35
PID 2032 wrote to memory of 1056	2032	new-installer.exe	36
PID 2032 wrote to memory of 1056	2032	new-installer.exe	36
PID 2032 wrote to memory of 1056	2032	new-installer.exe	36
PID 2032 wrote to memory of 1056	2032	new-installer.exe	36
PID 1056 wrote to memory of 1368	1056	javaw.exe	37
PID 1056 wrote to memory of 1368	1056	javaw.exe	37
PID 1056 wrote to memory of 1368	1056	javaw.exe	37
PID 1056 wrote to memory of 2804	1056	javaw.exe	39
PID 1056 wrote to memory of 2804	1056	javaw.exe	39
PID 1056 wrote to memory of 2804	1056	javaw.exe	39
PID 2804 wrote to memory of 2764	2804	cmd.exe	41
PID 2804 wrote to memory of 2764	2804	cmd.exe	41
PID 2804 wrote to memory of 2764	2804	cmd.exe	41
PID 2804 wrote to memory of 2812	2804	cmd.exe	42
PID 2804 wrote to memory of 2812	2804	cmd.exe	42
PID 2804 wrote to memory of 2812	2804	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe
"C:\Users\Admin\AppData\Local\Temp\d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\extrimhack_cs2_cheats_free_29.01.2025.exe
  "C:\Users\Admin\AppData\Local\Temp\extrimhack_cs2_cheats_free_29.01.2025.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api-1.7.25.jar;lib\slf4j-simple-1.7.25.jar;lib\x-jna-4.5.0.jar;lib\x-jphp-dffi-ext-1.0.1.jar;lib\zt-zip-1.11.jar" org.develnext.jphp.ext.javafx.FXLauncher
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\System32\chcp.com
        
        C:\Windows\System32\chcp.com 65001
        6⤵
        
        PID:2764
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop"
        6⤵
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BouncyCastle.Crypto.dll

Filesize
3.2MB

MD5
0cf454b6ed4d9e46bc40306421e4b800

SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411

SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\server\jvm.dll

Filesize
8.2MB

MD5
7327b0aa50b6b435c3d50297a0bb70cb

SHA1
4fab443e9523df32b8bc9433a3222d6b3f0fcd5b

SHA256
adabdb763832872ac27ddb5eaab09208b36a90a1968c91543212f20e9e6bf9ea

SHA512
42b45d232ee1034481657b9d8c1d9818e4f51f373b8c56ada68095f009ee202a3e5e19a46df78b37e1e9e92910d6972c990bae3d9fa6ee2f54e6047494538cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\ucrtbase.DLL

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\new-installer.exe

Filesize
120KB

MD5
ff274d05ae80631b31920d0ea1e4417d

SHA1
14f79aba7b5afb20018d3459f75ea349e8be1b6f

SHA256
aa7ffd9bad8fa189805ff1b3940de85d33cea46b3a40942610e59a8ce33f8961

SHA512
0bd31644bc0c36db6cb6e4fedd3a20baddfbf25d0e7515654d090c05c1c527335af20ec8f8d0574ae6b261f8ab287af3dbd0de875af15688c5c4e462bedd0ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
3f62213d184b639a0a62bcb1e65370a8

SHA1
bbf50b3c683550684cdb345d348e98fbe2fcafe0

SHA256
c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

SHA512
0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

Download Submit
C:\Users\Admin\AppData\Roaming\DLTwXTHLJLJyHJyPJCSDMRP.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\DLTwXTHLJLJyHJyPJCSDMRP.Admin\Process.txt

Filesize
473B

MD5
690440fde3e91f1c9c870929d8ad4fef

SHA1
13f62c78571d909353bddb92f884bbd791daaff2

SHA256
d21ac0dd8fc522fc17f2322e0944a29628939c93271957b69a8963515ca04476

SHA512
6b1b3bdfb698e606edd07ff9278bf2b646e87b2075668911ba4e5a94158f2276d74fdd576e0f60668a7f026d28e1a752ddf761e30e9ed26e90d4427893e18371

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
242829c7be4190564becee51c7a43a7e

SHA1
663154c1437acf66480518068fbc756f5cabb72f

SHA256
edc1699e9995f98826df06d2c45beb9e02aa7817bae3e61373096ae7f6fa06e0

SHA512
3529fde428affc3663c5c69baee60367a083841b49583080f0c4c7e72eaa63cabbf8b9da8ccfc473b3c552a0453405a4a68fcd7888d143529d53e5eec9a91a34

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
fb79420ec05aa715fe76d9b89111f3e2

SHA1
15c6d65837c9979af7ec143e034923884c3b0dbd

SHA256
f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e

SHA512
c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\java.dll

Filesize
160KB

MD5
b9336d1fedf548d339a9490cdb933823

SHA1
63c46293db0c6dc7427630cd8acbdda95c88e250

SHA256
41358057a6f8913a8d6797644aa9cd9c7fc1bc868d3f389e981483d6b0a4f0be

SHA512
3d0e8a3363e7cae13865afca0459aa354703d5ad00dc0784fde049c642ce66aa223b3ed171bacc0d976a182097afae819540e85d56e531a8f4ffb61f13b30c78

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\javaw.exe

Filesize
270KB

MD5
3c23493afc5edd1538965bedcf4f38e5

SHA1
e553b76d5f297840c0fefced28da4f475de633b4

SHA256
8bc3fd611a20e009844af01fcff3c7babcd6743fdac1c475b49c65a020799a48

SHA512
c3e5e51477163097e0536a9524b8231a907cd9b5f2e3b60d7c40775146fba377795d193074baef88c356da5648395ecfefc7940de0588b1e663b96244593efc3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jre\bin\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
7.7MB

MD5
9f4f298bcf1d208bd3ce3907cfb28480

SHA1
05c1cfde951306f8c6e9d484d3d88698c4419c62

SHA256
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

SHA512
4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

Download Submit
memory/1056-856-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1056-1003-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1056-1091-0x0000000002570000-0x0000000003570000-memory.dmp

Filesize
16.0MB

Download
memory/1056-1054-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-1055-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-1056-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-1053-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-792-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1056-828-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-829-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-831-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-830-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1056-837-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1056-996-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1056-888-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2032-744-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-52-0x0000000000400000-0x0000000004CCD000-memory.dmp

Filesize
72.8MB

Download
memory/2796-192-0x0000000005330000-0x0000000005398000-memory.dmp

Filesize
416KB

Download
memory/2796-35-0x00000000002F0000-0x000000000033A000-memory.dmp

Filesize
296KB

Download
memory/2796-46-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/2796-249-0x00000000079B0000-0x0000000007CDE000-memory.dmp

Filesize
3.2MB

Download
memory/2796-243-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download