6ca540938f301bbc6196a8845fb5165c213b0ebeb51797b0c20a4f6d5c74d0ef

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2026-Jun-09 23:12:01
Detected languages English - United States
Debug artifacts vgc.pdb
CompanyName Riot Games, Inc.
FileDescription Vanguard user-mode service.
FileVersion 1.90.0.0
InternalName vgc.exe
LegalCopyright Copyright (C) 2021
OriginalFilename vgc.exe
ProductName Vanguard Client
ProductVersion 1.90.0.0

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • %TEMP%
Suspicious The PE is possibly packed. Unusual section name found: .fptable
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can create temporary files:
  • CreateFileA
  • CreateFileW
  • GetTempPathA
 Functions related to the privilege level:
  • OpenProcessToken
 Manipulates other processes:
  • OpenProcess
Malicious VirusTotal score: 12/67 (Scanned on 2026-06-14 05:51:28) APEX: Malicious
Bkav: W32.Malware.CF0EF26E
CrowdStrike: win/malicious_confidence_90% (W)
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
Elastic: malicious (high confidence)
Malwarebytes: Crypt.Trojan.MSIL.DDS
Microsoft: Trojan:Win32/Wacatac.B!ml
Paloalto: generic.ml
Sophos: Mal/Generic-S
Trapmine: malicious.moderate.ml.score
TrellixENS: Artemis!BC4E7656AB85

Hashes

MD5 bc4e7656ab8547202307c9b3cf9fb8de
SHA1 858a6b804ffd1a57f2ca645af1c08eef466d1bea
SHA256 6ca540938f301bbc6196a8845fb5165c213b0ebeb51797b0c20a4f6d5c74d0ef
SHA3 65b922cf1af4086bda7f895f2175170c553ac8f3abbf164d2c53a32f984c8814
SSDeep 24576:o9kydnLaY0LkG88vpdSC1nlBChuDdpM+DKAPEKQ/u+MRkA9oVsYKIZ:0FaFkk9rZvJj3poGYZ
Imports Hash d0b3af131555dfa856f62fd5ff62c040

DOS Header

e_magic MZ
e_cblp 0x78
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x78

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 8
TimeDateStamp 2026-Jun-09 23:12:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x139000
SizeOfInitializedData 0x51400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000123D14 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x191000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6bf55e29929b56c501bb9562166be44e
SHA1 ccb3c165616eb24ce7e1d8f717a605f4212c8980
SHA256 526a470388ee1a874b6bd6462ff7d4a8a628e8ecc725eacf7eadb8d5067bd655
SHA3 c24c64a47bff3f4e831908fa43cf882ae00ae49cafde9c9540ed32ffbb686647
VirtualSize 0x138fd6
VirtualAddress 0x1000
SizeOfRawData 0x139000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.97007

.rdata

MD5 6f06fd3c6acf1a66e922d4827139e5e7
SHA1 ae8addd792f96b9bca7e7c58702b9160032a6ed9
SHA256 eb509cc443dbded0bf04b863b3277eb90ee7b88b1119e26fc54cfacf9c6c06a9
SHA3 1ebd28046293258e3089b94057912307b15e3bb992ea99c815a876b9bc8a37f0
VirtualSize 0xb9b4
VirtualAddress 0x13a000
SizeOfRawData 0xba00
PointerToRawData 0x139400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.22293

.data

MD5 52814ba515e494ea6b6165434feb11eb
SHA1 228dd50647b9c37bf4457d4d40ef04cade8233f0
SHA256 79995b12ea678788f5012a6292a115c36a6aa78be8dbf8ea796017d339e561ee
SHA3 fcada9d39a0bd2c589971f85f2430041f30a3609f14925233b4f8bfa635fc864
VirtualSize 0x44cc2
VirtualAddress 0x146000
SizeOfRawData 0x43000
PointerToRawData 0x144e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.98806

.pdata

MD5 c2a2083f4a2c3a204fa51d316363b88a
SHA1 058ce9d982f0613ce93b41ffd47fb713e39fc94e
SHA256 2f9d64c0e4cf957a72e859d7c22d68b692fdc1c35213f3f1f3f51e9713d00f9f
SHA3 e156d3dd44ea650ceb962cc4aac4ae68839fcde0bca699a44caf5ea3f3e92a85
VirtualSize 0x1728
VirtualAddress 0x18b000
SizeOfRawData 0x1800
PointerToRawData 0x187e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.38681

.fptable

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x100
VirtualAddress 0x18d000
SizeOfRawData 0x200
PointerToRawData 0x189600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

_RDATA

MD5 2fe27c5a3d0f279fb0c18902b326e9b7
SHA1 543971c97cfe41ea6a06075f2af6fa86b9424cbc
SHA256 20a7936a3da611d4c031698f6e909f36998911d5d4f07599e440e2ef005ad7e8
SHA3 b4e64191e57ed9bb27affdabf9b3ca1ca8c1a04854e425bbe2b04e2fa9a13cc6
VirtualSize 0x1f4
VirtualAddress 0x18e000
SizeOfRawData 0x200
PointerToRawData 0x189800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.21846

.rsrc

MD5 e42df5d65e6514854ffad86da48b97ad
SHA1 a537f19e9283158f11b7ac897b49427b0f9a10df
SHA256 1eca9c64ba5616af32d8ad0eefdf205379a3f97c6bfcaeb17251eb27e52a7a60
SHA3 037819bf3b99b77c98630f0f068adebd29c5101986343995b7442650cde2765f
VirtualSize 0x4f8
VirtualAddress 0x18f000
SizeOfRawData 0x600
PointerToRawData 0x189a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.62461

.reloc

MD5 4fdd4ffcb71e9e326fc3388797234607
SHA1 3af145625a892d3b3f9603d2f1387646ede6898e
SHA256 0e9a4007a2d4a789c972c55e51b10af68cfbfb817f1193504b957065997fc651
SHA3 5fc860fef2e4ebb0c775a98d48027367fe1d304150ca659631b15a4d9ae6d513
VirtualSize 0x7d4
VirtualAddress 0x190000
SizeOfRawData 0x800
PointerToRawData 0x18a000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.38465

Imports

ADVAPI32.dll ConvertStringSecurityDescriptorToSecurityDescriptorW
InitializeSecurityDescriptor
OpenProcessToken
RegisterServiceCtrlHandlerW
SetSecurityDescriptorDacl
SetServiceStatus
StartServiceCtrlDispatcherW
KERNEL32.dll CloseHandle
CompareStringW
ConnectNamedPipe
CreateEventW
CreateFileA
CreateFileW
CreateNamedPipeA
CreateThread
DeleteCriticalSection
DeleteFileA
DisconnectNamedPipe
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
FindClose
FindFirstFileExW
FindNextFileW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileSizeEx
GetFileType
GetLastError
GetLocalTime
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetNamedPipeClientProcessId
GetOEMCP
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
LocalFree
MultiByteToWideChar
OpenProcess
OutputDebugStringA
QueryPerformanceCounter
RaiseException
ReadConsoleW
ReadFile
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwindEx
RtlVirtualUnwind
SetEnvironmentVariableW
SetEvent
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
USERENV.dll ExpandEnvironmentStringsForUserW
bcrypt.dll BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptEncrypt
BCryptGenRandom
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x2e0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.39008
MD5 6a18e48d76d4489d9523876af48f23e7
SHA1 3dbcc59b042fbe7536e490c235d98f6b0003c471
SHA256 8b37d55d8db1742bc6f84fbaec92ec3c8b1bc30e154f36a34870b7fe919da530
SHA3 ecefe18f36951a5b50a5e046107c36f07a71a5ab1172887bd4ff75da04369126

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x173
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.86408
MD5 ec99e449d59f4ea12cb3cacd67758333
SHA1 a937a8ee39e3f34f965272e65ec222ee180409b7
SHA256 21b94da3059888ac59c765033b2285253f7a1d7308a412630a001af11474f478
SHA3 e35f054b574a0d6d517272f0c24fc14e8dc594346ca8196a070fd4d8f2abe5e8

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.90.0.0
ProductVersion 1.90.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Riot Games, Inc.
FileDescription Vanguard user-mode service.
FileVersion (#2) 1.90.0.0
InternalName vgc.exe
LegalCopyright Copyright (C) 2021
OriginalFilename vgc.exe
ProductName Vanguard Client
ProductVersion (#2) 1.90.0.0
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2026-Jun-09 23:12:01
Version 0.0
SizeofData 32
AddressOfRawData 0x14308c
PointerToRawData 0x14248c
Referenced File vgc.pdb

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140146040

RICH Header

Errors

Leave a comment

No comments yet.