10a6d1044186ddaf801d57ab4fdd6991a44b859332fd8e2ae8990f7edd4b3206

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
31-10-2020 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client Web Setup 2.17.0.exe
Size

1.0MB
MD5

edf47633312f964b28dfc3ed91f320c7
SHA1

c9df701aae470466e5b8639328aa0a95c148f2f8
SHA256

10a6d1044186ddaf801d57ab4fdd6991a44b859332fd8e2ae8990f7edd4b3206
SHA512

98e1f0c70fbea5bf684136a976e9e8a8bb9f83c6c9f9625248485772f59f0ef529e5191434ce02fd7448e8c3810dd9450360422b3b1257036da4dc8f05547493

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

Badlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exe

pid process

3876 Badlion Client.exe
3372 Badlion Client.exe
2704 Badlion Client.exe
2260 Badlion Client.exe
396 Badlion Client.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Badlion Client.exeBadlion Client.exeBadlion Client.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Badlion Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Badlion Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Badlion Client.exe

Loads dropped DLL 24 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exe

pid	process
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3372	Badlion Client.exe
2704	Badlion Client.exe
3372	Badlion Client.exe
3372	Badlion Client.exe
3372	Badlion Client.exe
2260	Badlion Client.exe
2260	Badlion Client.exe
2260	Badlion Client.exe
2260	Badlion Client.exe
396	Badlion Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 20 IoCs

Processes:

yara_rule
js
C:\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\v8_context_snapshot.bin	js
C:\Program Files\Badlion Client\natives_blob.bin	js
C:\Program Files\Badlion Client\resources.pak	js
C:\Program Files\Badlion Client\resources\electron.asar	js
C:\Program Files\Badlion Client\resources\app.asar	js
C:\Program Files\Badlion Client\swiftshader\libGLESv2.dll	js
C:\Program Files\Badlion Client\d3dcompiler_47.dll	js
C:\Program Files\Badlion Client\libeay32.dll	js
C:\Program Files\Badlion Client\libGLESv2.dll	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\swiftshader\libGLESv2.dll	js
\Program Files\Badlion Client\d3dcompiler_47.dll	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\swiftshader\libGLESv2.dll	js
\Program Files\Badlion Client\d3dcompiler_47.dll	js
C:\Program Files\Badlion Client\Badlion Client.exe	js

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Badlion Client.exe

pid process

3876 Badlion Client.exe

Drops file in Program Files directory 331 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exe

description	ioc	process
File opened for modification	C:\Program Files\Badlion Client\locales\te.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\vi.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\zh-TW.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\snapshot_blob.bin	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-core-namedpipe-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\licenses.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\fa.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\lv.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-crt-stdio-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-processthreads-l1-1-1.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-sysinfo-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-process-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\psapi.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-console-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-file-l2-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-core-handle-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\resources.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\resources\images.zip	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\resources	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\pl.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\vi.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-core-interlocked-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\ffmpeg.exe	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\chrome_200_percent.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\schematica.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\xdelta.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\msvcp140.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\ssleay32.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\icudtl.dat	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\tiny-process-library.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\de.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-file-l1-2-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-synch-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\notenoughupdates-repo.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\lt.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\ta.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\natives_blob.bin	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\resources\electron.asar	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\roots.pem	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\roots.pem	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-core-timezone-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\mclib.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\he.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\vcruntime140.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\ffmpeg.readme.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\fil.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-stdio-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\sk.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-private-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-localization-l1-2-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\concrt140.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\badlion.licenses.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\bn.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-core-heap-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\it.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\grpc.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\lz4-java.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\ca.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-debug-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-locale-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\ffmpeg.exe	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\libEGL.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\chrome_100_percent.pak	Badlion Client Web Setup 2.17.0.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 171 IoCs

Processes:

MicrosoftEdge.exeBadlion Client.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\discord-418076578333851669\DefaultIcon	Badlion Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F99E86DE-98FC-47B9-A3EF-D4F7BBE9B25C} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\discord-418076578333851669\shell\open\command	Badlion Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\discord-418076578333851669\ = "URL:Run game 418076578333851669 protocol"	Badlion Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\discord-418076578333851669\DefaultIcon\ = "C:\\Program Files\\Badlion Client\\Badlion Client.exe"	Badlion Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{1F23199D-FC89-403E-90D0-E0DC0031006E}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 11407d61aaafd601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d2acbb484c60510658f0adab2f39ef06326f162223a90fdd6167478dede8e585a130193a03f401d517d64fe612ac6ab18db5da2acdf5886c1f228c9766d8b610d501c1187ba15e472d6fdec339007e586b5958d9c02a634cc1216ac3b1f8dd94a83f5c424007a741f5dd2ba2a7d523c5ce79722e59e9865ab88696c69bea58f9f20a44ededc51c6cfc40df5fcfcbb84556378c30c1d00abbe9706c98244d812ffb82f1b19b7d0a9a3fb9c274c1826346edb1a6186c816d467bffdf22afc0c32035c871e390ce41bfbb66d478799b79fc27098a55d79aef853d53ae4ba2e590973bfaddb6e758d3779668ed2502b4ef20af5d355af9bc0e44d88b27453b5b68451239d43d8dbb791c1ce0f7c91b6e56bb06cf123f5b8851ab8fc9703394c10ad534a5b42c1c97a56c03ec7394f4696cfb937dc233ba9caaf3092cca20e8b9690f1d5e7a75608c10c0dfad26f5de45f323e5890ebd659a69a142d4e54440e205070c842cac0a3ad2d2b943d2469ca233856b123ac8fc207a528ae0e494a9db7065413752465841dc155fcf97cb72210e899437f1880fd0d81e9116bc92c021278502fcc3be2625	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Badlion Client.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Badlion Client.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exe

pid	process
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
2868	Badlion Client Web Setup 2.17.0.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe
2704	Badlion Client.exe
2704	Badlion Client.exe
2260	Badlion Client.exe
2260	Badlion Client.exe
396	Badlion Client.exe
396	Badlion Client.exe
3876	Badlion Client.exe
3876	Badlion Client.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exeBadlion Client.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeSecurityPrivilege	2868	Badlion Client Web Setup 2.17.0.exe
Token: SeShutdownPrivilege	3876	Badlion Client.exe
Token: SeDebugPrivilege	2700	MicrosoftEdge.exe
Token: SeDebugPrivilege	2700	MicrosoftEdge.exe
Token: SeDebugPrivilege	2700	MicrosoftEdge.exe
Token: SeDebugPrivilege	2700	MicrosoftEdge.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2700	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Badlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeBadlion Client.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
3876	Badlion Client.exe
3372	Badlion Client.exe
2704	Badlion Client.exe
2260	Badlion Client.exe
396	Badlion Client.exe
2700	MicrosoftEdge.exe
4156	MicrosoftEdgeCP.exe
4156	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Badlion Client.exe

description	pid	process	target process
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 3372	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 2704	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 2704	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 2260	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 2260	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 396	3876	Badlion Client.exe	Badlion Client.exe
PID 3876 wrote to memory of 396	3876	Badlion Client.exe	Badlion Client.exe

C:\Users\Admin\AppData\Local\Temp\Badlion Client Web Setup 2.17.0.exe
"C:\Users\Admin\AppData\Local\Temp\Badlion Client Web Setup 2.17.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe" --type=gpu-process --field-trial-handle=2596,9610253500628220561,8798354694262612430,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --use-gl=swiftshader-webgl --service-request-channel-token=3514643423478823074 --mojo-platform-channel-handle=2656 --ignored=" --type=renderer " /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe" --type=renderer --field-trial-handle=2596,9610253500628220561,8798354694262612430,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\Badlion Client\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#38434d --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=15611628364984272373 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe" --type=gpu-process --field-trial-handle=2596,9610253500628220561,8798354694262612430,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --use-gl=swiftshader-webgl --service-request-channel-token=1624880903277636206 --mojo-platform-channel-handle=3648 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe" --type=renderer --field-trial-handle=2596,9610253500628220561,8798354694262612430,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Program Files\Badlion Client\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#38434d --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=8011200833239708083 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe
MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\VMProtectSDK32.dll
MD5
17011601817dd00866b681d4a0bd90f2

SHA1
d6ad7087f54182b47a9a6776fab90cb03e95f80c

SHA256
6ff20283e407a0f2829e4fa6def121cd63d715dd6582847ae2d6fc379ac40927

SHA512
1e41669c920ac65fea5fd0e5704430dd371893155d5f33674ad6eec011ec16bf4969b01e2b9b28c561d131a032b599e0479931221819c677140d1b272d121abb

Download Submit
C:\Program Files\Badlion Client\VMProtectSDK64.dll
MD5
6540242ff58d08c8849268cf305445b8

SHA1
ba0d0c8875ed96f137dcb28aeff873373b994eee

SHA256
889553cce491767b38df153b567b6da682709925dd7a1c23f12c6d53a9fb18c2

SHA512
073e44196cd0c4cdb1cb5004cca59da80e09b97c70b83f212344ec7b262f1a3a4ebdbdf059d9bdbc228545b49a269a8363b1db9180ff6565c94797b19cd3c515

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-console-l1-1-0.dll
MD5
3463d82d90601b441cf024c92abe4acc

SHA1
eac8fdafccbc1beb17386552922770bfe12ec1eb

SHA256
49ac9f317d0adfc3761d6ff0d32844be70cc78e2af18319c9a2e2ec2a44d672e

SHA512
ff4fe61c7dc5f8eb7012cc4867d7212cbf965ec786dfdfa8c74ecad8c582c4ac1107aa2876e5f11066908fbd07c1b353dc67060c28199a7e21d57adbdddac977

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-datetime-l1-1-0.dll
MD5
ac3c4cafa028297da5037781f1156220

SHA1
937c2b11c7fe4effc16e67af716563aee2419a0f

SHA256
0f0cec83da06f06e9c42ffded72fa69c51efed881def2b4b7b88274bc1bf3d40

SHA512
a2d1135f497e3831f14369978ae6a5ff74106d9d4ea0407548b6c336a1082bddd196424b292c799ce60270182c13e148971039cf29241e76203b069ebf7bb72b

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-debug-l1-1-0.dll
MD5
8c0531639f58f79b5b67b52edebb01bd

SHA1
866f3ca8819440e0ba67eb935e688509f86ce1e3

SHA256
a20dc11ab10769b38cafb701c2d08810c8aa61350f0b33ae7838ff5c26edf956

SHA512
d6ddcb814d7f507df03bd5fb378eae3bf30f31d0cbb41136382469297033965763dc20e68dc50108eeb5fb5996d167cf21b29dbdc0ea163521607e1cc75f7d9a

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-errorhandling-l1-1-0.dll
MD5
2a3c5cbe313f4105dce8a79f533e5959

SHA1
26e6768280c83217ccbe36f3a405381defec12b9

SHA256
79cb8a8781feb448fe051e90ccaf3d6ecdfac12c1ad4bba2730aa1f0a229c31e

SHA512
e24ba69254b445a62add1d58269ee99841c36049f639671a311bfc0f60d965e6a8d79a67375eb0d3ee3be8cf998f182ff03291f0709ae2155bbee924708dd8c2

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-file-l1-1-0.dll
MD5
4215700161720c767e725b1f7fc358ab

SHA1
6e31fa39775c1c6c60fe8869761c31148b0a8019

SHA256
38e535e9a79cd72e3f5e3c0ec9c97a18e86d480a504ea6c85854a6f70b302c3a

SHA512
8c93f4021544ffafa37665efcbfa2c4d23742573e695766c637c9449a39af5ea0de114c821a5c50b886ed1ab0f0a2be0fdda164884d73f7488402cfa2137e5b6

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-file-l1-2-0.dll
MD5
285e3257c5a12d3384cd3f5a3ae941b2

SHA1
c05f6a72b73bc7ec8409ed42ccd947f501da0166

SHA256
8355bf70788c00fb1a17bc4160bcdc6930fa219b85473e08138efc10136d90eb

SHA512
f1ee0689b02e6a6e95940c1b3c2cc6902f3e04db44f4d767a1e68a890b7b3733b28c1d86f1f361f0db8b1ee955f5f5bca86b758b8f2e93d94b5bc4d469187df5

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-file-l2-1-0.dll
MD5
72d542226f067dae07562fd093b0f5f0

SHA1
c0f7f85753bb351c51dd8e36ca2366a3b24c73ba

SHA256
e8e3550084cf30e16b16216266bc73b07c1a05bbfd94ee3f645122d3d167d7e6

SHA512
2fbf32b38852def53891a73b9b33f33de96ca09102baa8c37f02d1b3d5076b26d2a32f2e79aab1009dc5b2464abf50c956c797ba4321fd37ea13900753a1d182

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-handle-l1-1-0.dll
MD5
3b620d81c727a8aba6dc6895af695d35

SHA1
21641bc6c802d0ada3121d14c2a8de4e708c74bc

SHA256
9aa764023ddb501050f43d1af0ff87f592ed14c4f022ba58270c3315386141b0

SHA512
54af2248017db94ef81a5c4ba6496127f1e305e292bd165563929dd88ad756b15edb5f0e2e3da367581c0c9cd92e04699e28bcac12130299949b13267414d228

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-heap-l1-1-0.dll
MD5
d54e0da17090c6911db3fd0770faf91e

SHA1
5538096f53b4160ef2e91987d57d2da0ddb9b6ba

SHA256
17415ecd7f34def148a91defe99155b71c8048e253315b2d24d499b99207f618

SHA512
680142c329f6ab44cfeb7eb1572f296918866c9ca3ac9e66ae13ef38d79dadac9bf367e6dc6655c7e404cb6b243f3518639acd9cbcd9a37da5812823d43886d3

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-interlocked-l1-1-0.dll
MD5
2ca477f1799fc97d6bd05437bdfd0017

SHA1
31feb0b42e9237cddc5e47c3f4a076de86ca600e

SHA256
e81e0d9b2b09524e5790617547bb8bd8ef3dacdd001bd19057c4f8943d996227

SHA512
c0c991341619548e6944a78a090e1dd942140342d8cb77f41ba559b56034dc46a3ac731d2e2e67a7de1f6a65e26ca0c6a3eb358124a03eab55c2b5d061b64717

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-libraryloader-l1-1-0.dll
MD5
d6db1a6b5087a82e766fe7e9f818c135

SHA1
d786b2d8ab10edf0e893fcfbf52b03bceb15f53a

SHA256
f9457d0ddfa864e4bb383759bd7bbae961098055216b0b7d7d40c11084a1561d

SHA512
6118ed237839a49567340aca7a76d8ea366537942da060d4afc0399a88603f7f02a93c061be4475f35599d3cab8233f3925a491f4aa094bfbecd2adc5d3e65f1

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-localization-l1-2-0.dll
MD5
55902b92bbbca7a2d11a946297f583e6

SHA1
b6158f009d98a98ed2e56d377f9c4b6323b852fc

SHA256
2dea4ae5df0f7daa37e26dd0f9232f867884f57e850aa85062594b54f3a81e98

SHA512
85e0df8a390260e4e0cc0a9372dfd3c55464486812926775a5f9f5767157b88783e03701b1f1c28f34e822b21ea7436c3e8270df58f8de3ec1b15f68b633f4fd

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-memory-l1-1-0.dll
MD5
8fc176a3a6550f90e73d6da8445e8780

SHA1
5d249243678a789ce56037d0d1b36420d97dce06

SHA256
65bd14bfc1f14c35e345412ba5e9642e7f6c286f95de014c0f3af100e88b4467

SHA512
808daa3369df6704151b67f246eed90cc32d9110653faf06e973b97900003c8b7dc26095abf420d5c078e9546699c4b3debaf410819cd6060d3feb481576eefa

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-namedpipe-l1-1-0.dll
MD5
27a8f9e71a2f2d134c55de62fad6cf0e

SHA1
b60944dbf9a50a166b71fbc58305c3d559c4157f

SHA256
a319a14b76d8d67272128461f1cf53924dc2759ac72a76571f8b31e2f737553d

SHA512
3904895242acccec14feea4b7bda654a0eca3ef716df560764ca28f97eaeed10e94f5a0d46a633fa0671682188e4bc7b99b13649354bc26a88ca8211ee36307a

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-processenvironment-l1-1-0.dll
MD5
ef80685a812d9c252de35fc9b38bad11

SHA1
c641bf0f41d0617b25aa20d63b033236ad3133ac

SHA256
e17aa51c5520a623dd530889838c54ddea91e06e235003833e019095f5458ad0

SHA512
431ea4ae368b2cf55542ad614cca8e24fa2cecf0c5163bddc3742412a6e43f53ee69d7cfd1931e59eae9ee8671598ea35d0936850e6b733af14a4a5ecbd79437

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-processthreads-l1-1-0.dll
MD5
ed69bc0f310c5ce427e25973a0a52c31

SHA1
0bd1683418c952490f6a791a044b5840f5dc90b5

SHA256
6bac5963da125b3e314beaef5903d37316e162eb92e7c0f0b9946044eb0bde01

SHA512
4fe23992c6ea37a2f88cd2e3519559b08cb302f51f35b1524816a6e29e1412c2e6e1a214fff6d6ff50d0f7b410591abd57fd7a87c987f18106c6ec44d991666b

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-processthreads-l1-1-1.dll
MD5
d2eeb9f6789213bfda7fe6bcb2a1540a

SHA1
c330267c8abd56c04204deee9aabd566268daf97

SHA256
0ec2b6ee5e8ee5ee22b810795d097dd769ef054eb394355eecac1a1fdc18c971

SHA512
7795e972f46ec84cb1709354a40684593947cbf6b4df373cd823134a0b2deec7e5dc738a74c13c2accb74c467892d9a2375a96ab85147ae42fadc627a0f7e2cf

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-profile-l1-1-0.dll
MD5
46361d1f7b60b86f128f4e23c95cc3e6

SHA1
8c621d8dc4ec4fe3a9f40d25ba3dc26a19a02994

SHA256
978419fea728f20a4df8046e75b880343cd425548f8bc38e8c0a6e8c315c4310

SHA512
25f033816b7dbd387134fbf72f5c6ee351bec480a4975659702b0912d204486826e64612b94646056d97111612fa8a322547aef8755469f8a6edc45fea534322

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-rtlsupport-l1-1-0.dll
MD5
210b0178e7aca6b9444e2d10ac6ee054

SHA1
2ea3c9d780f6c3dc60b6247b3fb0dd5a8dc638f3

SHA256
7857b0c9c6517102ae5e047d7fe1cb0f85424f1ea01fcdc66afdc231f3127906

SHA512
3b3d10262bbca6559b2223be60f0d61a77ada9c147b167641de58b418634963bcdfc37fb4b11cf65517f5a3e29adb785e83c379a056c4992ffa59a468ec393f2

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-string-l1-1-0.dll
MD5
7f8e52ff5a64d2d471413e288a591866

SHA1
cefad6219c916307e0bf7ef1382512c2cd4c2d5f

SHA256
952b0ef3b3cc8d15c91e4e6605d49ea6bcee1459f465b99dd22decbce69012fb

SHA512
7e9025f0eee30552e24425c0d7fe441264a905469755f2aa94863d68f8d53da654a83b4146695d0320f5ad3538a2fd716619baf615d9b29d8767ef6296088253

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-synch-l1-1-0.dll
MD5
599025b219fb4f70b3f93eb0d4d12bb1

SHA1
c1ceab162231476cfa9aa35a54400f3d959369bb

SHA256
6defa74d4bf10f95815d965547065b5af5fc4154d93757735ebbe6aeca570ba8

SHA512
1b4e6af508ac9d353b0e2d02344181ea57ee654f505e04d3b6a7d758fbc0a72875d72ec185c138e69e1d7dfee3459e96c64cf6a2436db1c7425748556f99b922

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-synch-l1-2-0.dll
MD5
8f469c5b261e003ed991f570aea8f29f

SHA1
848046907a02d605d53a31748d8dcca18d11259b

SHA256
ae460b343b6fad12d26feeee14e68efb97e59686dbd2cb22ab228619508944c6

SHA512
f393b8c9ef4cbd6f660093016fd5a3267b5afaf4c26262f2fc3c52351c697ccc38744e530f779707f802398aa01a7eaec191497949d2c1fa5b34b8d33153beea

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-sysinfo-l1-1-0.dll
MD5
f58fd490561921c154c31c05bbb63a3e

SHA1
d5f009e7cbb070b35ed81acd68710716bf971b7a

SHA256
bc7203c7c0c539fd225701e39f1e430367376cd580af52cdf9dff680046027ff

SHA512
8389e2834559681accdc3ded3a8be06028e5e3fb8d62cafd218c545dff052604bd0b0c14a4956eeb7653522c05b45d05d072e44c4f125b0e5567d3a23318e8ae

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-timezone-l1-1-0.dll
MD5
f2d0493794b45c6a2629fc9c5c80f832

SHA1
12460ab8f625ecd0e0a02b4fa82061c2ff4644b8

SHA256
8c2d7b0dca0702b8f1870c9c404f41e00624132b239deb7917096dfed8ca1507

SHA512
4f44ea443413c3709c1521de0b9dc5c05ef9a4f853062e44658d7bc54663115afc1f04927797a5406b388cd5c9e226c9fea1f73f0c288999105d9db42fa257e2

Download Submit
C:\Program Files\Badlion Client\api-ms-win-core-util-l1-1-0.dll
MD5
e0b524ff31e7c651eee7d83b1c7cc2d5

SHA1
d29f001b843e452cae91a2d01ef338373fb24763

SHA256
b4afba280abaf5dd28d92d452b958e440c88a26ab7359a3200876a35775a33b6

SHA512
4d3dfbcefb85b8d6ef874cfdf04594ea4d6c58ae7de544588a9cf8646897aaf9b46bdccfe9e6f7cd87d00a58d5c595973493fa6cd6d82266b1a27736d4e15ded

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-conio-l1-1-0.dll
MD5
d2de2615f123ce2bed3332d505a99385

SHA1
9f2ea75348020d271222fff7984c8ef21aee460e

SHA256
da36262bd3865024a6ec9726b8fcd0764ef3ddafe21387314c0bbb89a478e4e9

SHA512
a5e99e724a847c2193ce052dbedf0cd19a8765e3561ec028cd28e5972c8f004e257de0d5dd3870d41213a6cc84492ad488bd05106d2b5d3aa19f808eec820d51

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-convert-l1-1-0.dll
MD5
66a41a8156a7f9cae4a7977cb8084fa7

SHA1
4c72b0d8c90daf993fa0371269af04703a81fe4d

SHA256
a454bd7a8fb18d19e3264855ec7ade9820b54fab31f9528bf1abc8cfe32e064b

SHA512
989ec1a0deff20bc9b3099a21bf9d45bf821e94eabfc1b18ba4ece1689d0cbcf83b6206bcf64530a55aac1d4165a54c395f8db17fe5d68778082dfb1db4f0d10

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-environment-l1-1-0.dll
MD5
89abe10555d85e9bd183fae2c37d7aaa

SHA1
05c72b53f7d7b0667ff6cb14255e5c6453f1f35a

SHA256
d524f5aff8a3deaf37899187fed40b821c5e79251b99d0a8571b62ad87adffb2

SHA512
7b9c38e5270c401acb1b51ccf82ff0249671c4df905c31bc934d8d0b15a6eae22d3d82381199e4d61ac717bbe72726bd2f9b6c4b2fc930b39ec2c31d9fb1147d

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
7dbc1ca1f1103cd971a67709d5203dbd

SHA1
717e689b96a5d029558e7cb663d5c7cda840b780

SHA256
88a6dc7c08725b447dd1b7061990977246dc62b7282dfb50fa36659627079fb1

SHA512
ec58c7bb26f669f5b90731ab8c787b3b4e4131d7a9450dfae4d74ef24541a51c98ee8cc71dd4744a242dfde2f75feb216727daccb18bf745e2539546fef746d0

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-heap-l1-1-0.dll
MD5
dedf6460cb6fc8229b3e889d1b32f75e

SHA1
f47e35654cb90ed4505ba49a92b2fdc661c0fe8a

SHA256
bae857fe8e162640032aa8d7a88217a021810d305bc58b8f27409155f2299adb

SHA512
b1ce0119c2eb87ee36fe566477d14d317d01465319b72f7afd2f83a88f82591afb6f795eef76b20c0b13060530f67a4dc07923fd2f61922fdea06973c70f8352

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-locale-l1-1-0.dll
MD5
21f5271a151394a654b2f1c44fc44049

SHA1
1d2f98700ee87fc747b230b908fea133b730bf0a

SHA256
a7a987527a2f7ad4474cc5be04e5bbc10375e072573b13a2cf3fe705789bf822

SHA512
cc46e3bdcd25f2d72802581955ee69af97781b19a40a51fb318206ca6916f188f40dd94a7a5e6bc2c4c2ce211229d03e50729b168ed771e52cee188d0c30638d

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-math-l1-1-0.dll
MD5
514a74d1050e7bdcbb1f422fb571c351

SHA1
5a82976e2456fe3f215316a85301460c6af389d7

SHA256
62e97230bbe85c0e2930d16cadf830acdbf9f2bccedd3d51fa8ee0c5102ac63a

SHA512
f2b19fe5fc4f95ec3a1b0d76e8e6767234c83a8b8a08ec6a2ba9b3620c08f67132fb7629235aee27ec172d6efa5260209e005564467abe3ec06f1a7756d21da0

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-multibyte-l1-1-0.dll
MD5
3e4803f97b89adbaa575b45aac0dd4b8

SHA1
d810ed1486f86494828a8cd96f774881a629b652

SHA256
2fb9611a4227227d30bc9b8f6d389cd12bc9b38b325d23675fb737470bde27da

SHA512
b9824a29e712ae65b27a4ecc68bad7f127306e7c2267e1ca9704c09e15cc6faa0aa7649118d169813172557b6375b72f8e88a587e79bc97f1825b8cd4c1c2dd2

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-private-l1-1-0.dll
MD5
3d2b4445b9fafaa0e13ae0e126be2669

SHA1
3b24c99469ef9a35bf720e711a0b022f2403be22

SHA256
6bc27ea87e05b365c74b093f0256d1acf85113ba356ad187886d8adc07526398

SHA512
9641d0d9470abc256f44c9d3881a42a674b41992dc25b7bd048a9e2b8d3523de9626460a9f73f2907f73e0be80219c913d33c9684664d6bd6642c06029e5c44e

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-process-l1-1-0.dll
MD5
90d42fdf308dfd771797dd41585d3baf

SHA1
daea1f05092de97ea558de14b4e112ad48b77726

SHA256
404ff7454e8dd3d766e433def1780a265ddc87a07981d223d241a528cc78c0fe

SHA512
e8f35f6087b9601d8a46b2534634f24a2841ff2cde9f6b7bc10326cf2197e98bae9c6ddcb2e53e8f81a984019b72080d1e826731fb6d7c28fdb47373c1e474f5

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-runtime-l1-1-0.dll
MD5
6856722db8c9e3dbb7fc62938ad2cf1e

SHA1
6d1aa306d7793916adb30e9aac451b2e43516abe

SHA256
3d077c3cfa0a54f6f58814deee22d3dcf4bcaad44ae405b8d31552a9afabc086

SHA512
87a3c82af000fc1cfee5f12f01f077c2c87638245b2784e8827c587985f8c0014685d0d15a1498a01dcfcfe717cfbb9ee64344ae7a78aa75bdb65e2a0aef07cd

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-stdio-l1-1-0.dll
MD5
dec83f473e43ee78e92a4b682a9a7904

SHA1
ce5e0479c78ad6ffa7d765479a7e1a7157eca4a3

SHA256
a5c05a8394c5aa71441ac18e945170a755d1f1ff141e614cdd92dc5737426a5b

SHA512
60bbd86035bbf3f80c17a01fb44ea5af5c84584a8aa5f34a7e0abf989ccccf8d40bab4d44af364c8ccf62ce4e21df0ed2c51bb70e817b2bf9c5319dbfd4100d3

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-string-l1-1-0.dll
MD5
88b5f9bc871438973ef12782e0c8d12f

SHA1
d327208b4f26c1c6f0e9df50ecb22a89b426465d

SHA256
4691510b2bc2ba15b638a0d1765c2a8826a8b9fdbe3737989d8fea072fe7c20b

SHA512
d4de343a88c9933af67c4599d308f31332ca7a3ea0428fbad2d60e2fa2165eca9ea56410437be1154c551e7263dd6a5773e6f7c4dc5b6952e8b767a3c5b16597

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-time-l1-1-0.dll
MD5
f862bd9516845b31973ba98e9f1288b3

SHA1
ada580fc93b4f5a86db92e1d612293ccc21c72f9

SHA256
72d31abee96fb3ee1d90afcf11fdc54ceba131bbb912b994761f32cd7cfc3ee1

SHA512
bb442aab30bb0d8797586eaafa53a6deaaaff19d41342b9fb828c87fc468d96953f8ed1123ace4c4d371f9eed91c2bf2c42b1d8ca92bbd0a89bc5a27a877a15e

Download Submit
C:\Program Files\Badlion Client\api-ms-win-crt-utility-l1-1-0.dll
MD5
9975d1ae7b84b373d9095d757172ec08

SHA1
302edb92e0a6ee621379528fbef9dfcc249b9285

SHA256
8d3df297a7da678446dc9689f64dfbff0478cfd2da168180ff41c16e1344e584

SHA512
fb71a43887ec9675a4e42f2f810d33f6ec4726de5723c935961952f43d45982e5d1156e4d97d4c0c9ac8440fa186b13e1c6387c425b5a774218d6917efbe41d9

Download Submit
C:\Program Files\Badlion Client\chrome_100_percent.pak
MD5
8d56d44c318d122f7931d03ba435f00b

SHA1
387f530e06f79a2a9f7fbf4446c71c31db08e7e0

SHA256
fcb4faaa82d13d90c42dfa0669f67391b3124d30310d0f4c510f31412974cab2

SHA512
03bd2f56f73ad06fe22ebd94fb0de4e37d1771f8a9d82a47ea93002ba4696d906b59d0e25db63e98af10a169a8c3dc9d047cfcbca01030924bf93abe7bce1590

Download Submit
C:\Program Files\Badlion Client\chrome_200_percent.pak
MD5
879f88cafa5714994744bde20e7bd2c2

SHA1
d63b55f9f7c0e40f9585cac8a5cb28c0ea9f32ee

SHA256
76126341d0dc2b4b6ddccf30559709e6a856cd47148107808bd18ceb16ed1df3

SHA512
4d70ae16c2656cf3a8aaad00e2ce0ddcc030bf1ad29bbb1d0e90c03f866c413f893b273b8b03aa12c9ea5ae01537ad1d2d1b2c52b35bf7773278121a09a3af9c

Download Submit
C:\Program Files\Badlion Client\concrt140.dll
MD5
14b7a99127ca18df05dd1f5be3ac0245

SHA1
991891bb1ea603a002941696697f48cfe52cf94b

SHA256
511aba3d00b9925e7bc64e2132d77a76c1fd9e9d200ec0ef864b7a0f00c68995

SHA512
80f1a6cd377e62c96979fb4cf50d70e3005623c8debdb3c55dd27e5bae9dd46328d18066e59501ecac13ee96533f3b5189fcc93b4aadaf376ef6a2455ea7eff5

Download Submit
C:\Program Files\Badlion Client\d3dcompiler_47.dll
MD5
57d829f7d174d1a8067612c09cf6566b

SHA1
79ed06500dcee028885b00301f7a9a9155c69b62

SHA256
dca0cd7272a56801dd74d0b253df33a8829bee61f5fa0c6d8e2ed5b62f440dff

SHA512
16936ce02b7445b56d67adf43d896d2dd9bf1f713d5a765fe97c73c72f22ef8915372dd7b04cfdcfad72447924b6e03d8ae0e0565927a2f862433b2860bcfd64

Download Submit
C:\Program Files\Badlion Client\discord-rpc.dll
MD5
5882c37b79bae47a0d090006564edb22

SHA1
ac7bbbdb1d34eb763d8db4ef7875a50f700e9d48

SHA256
5cc2e504800cf4ed2f4781364f661ea22349658ddc391b5d54195e573109d87b

SHA512
d4a6a1a36842dd1c8b2162168807b990e0d491a908e11b52ebf11174a67f818b131607c2122dbb484f5d946418a05a1a84d42e1468bef5c98ec3fcff7d225ccd

Download Submit
C:\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
C:\Program Files\Badlion Client\icudtl.dat
MD5
4c8a9e9c260dc5a6fee2a3c37520f5bf

SHA1
5a9883dbeb5314a98e7ab5326f9868e78ba387dc

SHA256
8c2df1f6e2ea8df2e5fc5e4b016b0cddd64a7ce6985189ca45be3c0ec99472c2

SHA512
c0da0b08a0b0eaa898f96c6e6c6fb65bc7f773f5814fc0d612a40e2fcaea4049c67cd2812716a564dbc16d609677ee62eaa9f9747d2a7bc5c9bce43cd2208aa7

Download Submit
C:\Program Files\Badlion Client\libEGL.dll
MD5
ecf1b7a2253ce9b7ae59b7358129713a

SHA1
2d62f035692e4c0dbbe5a5c74e5e8330f374d338

SHA256
89a80127abdfbfb6d44f55bcdeb614d67ad60499e5f54e645646465fed386e91

SHA512
8758575fb29f03289a52185066d4a354d3a29f1f67f661dbdc70b14d41ecc16b858b0ae8dcc7edf7c2837263808092ab5a0348c5c2a96417ff6f22fb54c5d39f

Download Submit
C:\Program Files\Badlion Client\libGLESv2.dll
MD5
a2e3bd2cddd9b712419132d0eb3c3c80

SHA1
c78f8aec8876104ee63f66bdba6bb9071c200038

SHA256
d23fc2055111f6a7ae37c190a2fdc37fc060abaa59adea9e96fadedd585077b1

SHA512
b08f4a4ed552f74aec6313c1e6214fa68bfaa0eade92385b9293b63042055313611cb0fd595bbbe4f40b277d7ef48c2f010c1bcf69d31c79f97e5fccbad29584

Download Submit
C:\Program Files\Badlion Client\libeay32.dll
MD5
4b8269a6ec04ec8ac23904eaaee075bd

SHA1
7e58e27dfd38de0d77eb729824f10c6aa5a0b8c6

SHA256
3c3d0df094235029e561a7813aa5835b25a8bb7b38dd77ef8acbd335f6db0485

SHA512
82a303b1e5adb8ffaa86c99fd63c533841bc9e3237ea3478584411dd92d60ea573ef063758747ff0497d58dfb085e014be1b234b5902face23a29e842b095d1b

Download Submit
C:\Program Files\Badlion Client\locales\en-US.pak
MD5
15e8556f737d17bd4d645513ee190990

SHA1
a24844d68fe3e9f4c57d14e6091a06f5e6b5f327

SHA256
12e4fd083a49e038578ea2993e6c88239083c8d098231527eee861299a4e1c99

SHA512
4e5c423b2b14def0e6ebb9c7844bdc050198064c9db69d3a880c1444314211995b1f0dec6fcbb12c6d5e59f690c3ffc893c2265bf7168d1ecbc8d83dfa5e1465

Download Submit
C:\Program Files\Badlion Client\msvcp140.dll
MD5
9ff712c25312821b8aec84c4f8782a34

SHA1
1a7a250d92a59c3af72a9573cffec2fcfa525f33

SHA256
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

SHA512
5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

Download Submit
C:\Program Files\Badlion Client\native-modules\badlion_electron.dll
MD5
f44b493c023e9bfc2af508aac582dcea

SHA1
64a8cd54cbe55f7447d4a940f2ee20310ed767db

SHA256
01ff2ba636c599c3663bc8f512c57472d9b8d499be952ab853fafd4079c78763

SHA512
cada778cedf06487d51821964324f88302bbedb3cb51c22cb55ba6590c013bc845a6a58ab718e3c622f196ca238b058dc6435d25bcb706b0a3bddbd19f9daba2

Download Submit
C:\Program Files\Badlion Client\native-modules\badlion_js.dll
MD5
2864582f5fe1514fb9b580848b06222d

SHA1
79a105effe73a0b6a755b0eb8f3e6ce9bc1edf5a

SHA256
f4eb964585c71c8fc85515ff3b782596f17dc44b57266b97b815f892a288f9eb

SHA512
18706164d463ff967c9f5956e85755937851b81f6ea7d13783c25655bc0fb78cb0ba4451a44dd692835f5ca12dc379c5cd91110e4da2eff30abdebe3c45bdf1d

Download Submit
C:\Program Files\Badlion Client\native-modules\launcher.node
MD5
bdeb8dedacd0887989be988a446028fa

SHA1
9497f0fdd63863a74821e2f4082789df748dc065

SHA256
74abcf460c0d12f16abda28ad9dc82c29818328efc66062e21b38fc115aa03df

SHA512
23980ab0413dd22779b6567d6e01b209216163006afe82be9050839790874bc33ea1470f556f0700de38418f2e3673b3b343b264d0ea4c5261afa50a92f1e966

Download Submit
C:\Program Files\Badlion Client\natives_blob.bin
MD5
f8ac49858ca8739658ff44c296f8aba6

SHA1
427b4da3bd619d85381c36d61daf2ce392e07909

SHA256
354ff502a0e1ed73df4e5c7b52970356b04777461f6e169f72a8567ab5f4c317

SHA512
52e875aedbdc5dad21e01a42e333ff5aefed9ae6468a00e80f2bb373b871196f9a82bc3f43a6c72c9dd6be0e4fbc591d3ede41ca47b23a806b788db5aa9bf313

Download Submit
C:\Program Files\Badlion Client\psapi.dll
MD5
80050af28eb0070a582b33470d20fc91

SHA1
bacf5fdb74ef5fbaf91d0475736d566ee3babc18

SHA256
65e42f8fcd039abaccd6aa815d237f1d6f7ee2067457c8ce235333226cff16b2

SHA512
780cc5783d93fd8e7dfedb291f384be4fb1c4022bea22dce991b360a2029ae42f864c540af3d75602a9975e3b66324a3b5f3ce4582ecc32918c35e00f3abf68d

Download Submit
C:\Program Files\Badlion Client\resources.pak
MD5
978e8122033961585e14c65949d15e11

SHA1
3097d04bbcdfc6ff9e0bb52c2d38f6395e4bb631

SHA256
a435fa0e07a9124b0d457811de5e2245aeb225ad55ab99186cb665c6ec6e30ef

SHA512
5f6706116b7eaec70213f7343cac44eea2dc735de6262524b5508a659b150d8a5ad7f449fec984b45a2e5c170e1cb4feb927a19530c94841f3e6429a2fcaa1c0

Download Submit
C:\Program Files\Badlion Client\resources\app-update.yml
MD5
dc3ecae939e722b67a0c1ca19877081f

SHA1
ad858cf6226ab10f41256800c409da1c07251e63

SHA256
8d677553ee63d70ef35e0e19e6a1de01943f4a2f6574989cbdc81061d1c7314e

SHA512
6d573f89b7b0fa17d6842ef35b20b0ab96325336fad05b6da9c313ee019944307da72ab536204b690a71eb94a774692370628a392ec7bcbb506c282c652e3df1

Download Submit
C:\Program Files\Badlion Client\resources\app.asar
MD5
57892a47e06d3d1cb46fce7bb084730b

SHA1
64281fc658e2d624613ad88ab523eea9efb1a9a9

SHA256
c0bae93f4fe1c13eed69de41a8ea98da05db43682ba36fbac473548b23677d76

SHA512
2bcaad62e7dbbf89b64ffb8d42d548dbc6d12e92df8a7576b1065f96517e446bfe3c4e55a49f91aca40ecea8ca9fb83710b2688c22a6acd291929a72fc4c02de

Download Submit
C:\Program Files\Badlion Client\resources\electron.asar
MD5
9217b91b15e400888db98d761f78b310

SHA1
5cb9ba01638a9486a20d4c2e802944b2cc076202

SHA256
8183cc34c7d74689ed776c9c615eeb323c7c2e5886c280ea6d32a0f06e41627c

SHA512
e672bcffe09e5c729707d10ba8ecb25fee4223044de97cc165aed503548ee2a36ee38295dea6544218b08b69076094badd6b0ea9dd6764bfecf34ff6de3b5fff

Download Submit
C:\Program Files\Badlion Client\roots.pem
MD5
bec29e7471bdfd13632a88a0e1177a4e

SHA1
f06003491572f8c18b6c18f1857562562eb48032

SHA256
00598bc1f737f7cc56eb82e58137a3e65c6f5a840011db174b5b65076311270e

SHA512
629862482f92323a07ea5f514b36271b4d4b3b8a46f1f2d3b654c8b1113eea1cb05dd1689599c076425e4ee88c461b245d2d06eea9711b95ecb7758340bf692f

Download Submit
C:\Program Files\Badlion Client\send-presence.exe
MD5
c0139a76aa1227f742b917d6ff62773a

SHA1
fd0c204634ad0a877f28174cea0b461e9c595a7f

SHA256
6a67f3c954fe5b9a6ade664046bfc92875b40cbdc6e20cfc585d4c5db8709fce

SHA512
fce91df8efc0a5df6c0342f9b35bef3e11e16881bb818b744c24cdf4f906cd6dcc59341aefbea8c9eaa7d182d5f1fc8d91bdb1bde38dfe0f6c554fb1f3585c55

Download Submit
C:\Program Files\Badlion Client\ssleay32.dll
MD5
c87e22c79b0653a27e0f9e6b1a9ac8bc

SHA1
bd37e85bf38192614d2b8fb5048d7e9f38eb34ac

SHA256
4a53f602f4891247dec42ce9a79862192cc80e12f40e6b4bb0a8db25052c8132

SHA512
97bc98e134636bff81bbfe3275141106377fa4dcf63bd191151a8f6d1c5109ac49eae81a89bdd90e5e2e5aeba274d673f646c0aa65f3dfd673ec2b23067417b1

Download Submit
C:\Program Files\Badlion Client\swiftshader\libEGL.dll
MD5
2bbfbdd0fc2dec355b7cec018e527863

SHA1
e7420f8179afa200c0d91a07d5ddb0ecc98a9cd7

SHA256
573b7e6945e9d97e54ec35feb96a91b20b977248896f7d42480e0033af3cad78

SHA512
ab867bc670b72c6cd3de5703dff3d7d798bbd4f655d0d9de77697d07225f4aeef8ca92bcc532ecd5979c6eb5a4facd267a95e3266b9288238a95448b10ffbcae

Download Submit
C:\Program Files\Badlion Client\swiftshader\libGLESv2.dll
MD5
779ee52ba76e41fe2b5c1057241da303

SHA1
be5a423bb1518ac03c861407ff5a7e3dc0c1aef6

SHA256
7b54f227a80a36a94a46c9c8058ea87ccaa0f1906c45d858dec1d026a9fce1a1

SHA512
19687aa627f1179d2e1f53a07cc60b57453ae8b4c679cb2373d8fb79ccd79ef2d3f4855dd7108cf16ffd2e90607e7aaa219a7f2fc286164a565644268cf8c774

Download Submit
C:\Program Files\Badlion Client\ucrtbase.dll
MD5
cca4929ef8dd988d7221ef6ba398f1b5

SHA1
1d21e60e56a15038702dc18148be8cecee279890

SHA256
4292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3

SHA512
d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca

Download Submit
C:\Program Files\Badlion Client\v8_context_snapshot.bin
MD5
ca7cd9e8812bf3d3af627e2ce32ac9be

SHA1
ae584ef401ec7684128517812e9eebc824098151

SHA256
15135d0f1bf67e01601a01dac865ae49d59eae99bc8967da1b8f0d5c7ada7d84

SHA512
f15ce97f2fe8d1e2230c7754449313f8c5b9a850a1bf2700adf47e95fd93a27c6d41a3435a1cbaf76b99a4ed2465ff5c8c39138239bda07e97b25e4bf377a310

Download Submit
C:\Program Files\Badlion Client\vccorlib140.dll
MD5
3d8e0ebbb613cbe80320a61259d18514

SHA1
a69747866b33159ee14eecc9ac19a0ad1f1db4e5

SHA256
8a442077df17ac412be9072a91e4b2b39a69f1aed189034d34fdd79956d3d6b6

SHA512
83c72e2db25b86de925ad9711a03943fc4801f77d6950a23917898e877faa3276cc2c5e8605cc0132e48c1bf66cc45b172578f77d075746ac38880257e579660

Download Submit
C:\Program Files\Badlion Client\vcruntime140.dll
MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Program Files\Badlion Client\zlib.dll
MD5
d48c270acab962aac5d222abee92c39f

SHA1
b23f9b747d859856fcad94652ebd07284fbd33c4

SHA256
809dd3e4ff98abf54aeac27cec2e0c194550bffd2f55ddfe725ea109306ae49c

SHA512
32a83196ec83bcaaabd83923409ac98201785a3915293187718d61d2cc6f8b51b10e0c7c1ce765524a8f800a3bb52dcbed430d143fb3357511644b6b666d8ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
86ebc73c5bd8ac4c6d28f79abaf0ece7

SHA1
e8724125d1011ee9ef554ba191ebd5a65f47cdcd

SHA256
e0c44c8f8516a363902db353a496a7c7934709b0912cde3efa42724c397d61c3

SHA512
cac1a158f6e6d76dd50e71b1ab7cd727783b2306aef486ccd36cfa7a1235159f0561ad87c04bb4b591596a493e2fba0587423b4ef922fe2138c2fd189e0ff8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
13a9652cdcca301284804953eae4eedf

SHA1
0b16c9d585ece0925986c7748e72ff9726939ea4

SHA256
3f4d41e3eab774ca391ea075d68d58a99dd58ed7fef771127fa993aefdd7a69e

SHA512
01a1a2b022398e20a62d4f91f2a57594fee8dede274e66f27b37fd1b9fe0672ae6fe162a5f38d2546bedf75bbbe0f35e3d9d1c9bce99f483d1c04e9dbf8302c9

Download Submit
C:\Users\Admin\AppData\Roaming\Badlion Client\log.log
MD5
d0678ea3d837eac57aeaf2ace103d295

SHA1
4d3e10cbe97b97b1f57e4e5ad40949ac446dce39

SHA256
1a15781a159de0a8a28fdd1bb5c5b5ed28f6e6a980fd36b4dac11f45ac28e13d

SHA512
4c18e68cf811a315a22298e3eec6b115bf655a35ccfff99a25aee2903b0aaf6d8b9bab405d3bd924e6f9d00b9950bda251b97e49324e9861b5ab4bf5a2209a58

Download Submit
C:\Users\Admin\AppData\Roaming\Badlion Client\log.log
MD5
24cc84b064a0f77474867adcf48c3e6a

SHA1
23ec49ab7fbe3e5cf501949cad6cd59152a0d85f

SHA256
2acb5353c689fc7af50870f0b1f30157893c03e85edb1cf0413b30def33f6e65

SHA512
aca2c0c52f603a5bf0e9854187ed5d36aa7957a9bfb7c1b91bbce97985abe3dc6b28d01e2680023bf7903abcf975add344051ace7435a8e4c3610d88032706b5

Download Submit
\Program Files\Badlion Client\d3dcompiler_47.dll
MD5
57d829f7d174d1a8067612c09cf6566b

SHA1
79ed06500dcee028885b00301f7a9a9155c69b62

SHA256
dca0cd7272a56801dd74d0b253df33a8829bee61f5fa0c6d8e2ed5b62f440dff

SHA512
16936ce02b7445b56d67adf43d896d2dd9bf1f713d5a765fe97c73c72f22ef8915372dd7b04cfdcfad72447924b6e03d8ae0e0565927a2f862433b2860bcfd64

Download Submit
\Program Files\Badlion Client\d3dcompiler_47.dll
MD5
57d829f7d174d1a8067612c09cf6566b

SHA1
79ed06500dcee028885b00301f7a9a9155c69b62

SHA256
dca0cd7272a56801dd74d0b253df33a8829bee61f5fa0c6d8e2ed5b62f440dff

SHA512
16936ce02b7445b56d67adf43d896d2dd9bf1f713d5a765fe97c73c72f22ef8915372dd7b04cfdcfad72447924b6e03d8ae0e0565927a2f862433b2860bcfd64

Download Submit
\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\ffmpeg.dll
MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\native-modules\launcher.node
MD5
bdeb8dedacd0887989be988a446028fa

SHA1
9497f0fdd63863a74821e2f4082789df748dc065

SHA256
74abcf460c0d12f16abda28ad9dc82c29818328efc66062e21b38fc115aa03df

SHA512
23980ab0413dd22779b6567d6e01b209216163006afe82be9050839790874bc33ea1470f556f0700de38418f2e3673b3b343b264d0ea4c5261afa50a92f1e966

Download Submit
\Program Files\Badlion Client\swiftshader\libEGL.dll
MD5
2bbfbdd0fc2dec355b7cec018e527863

SHA1
e7420f8179afa200c0d91a07d5ddb0ecc98a9cd7

SHA256
573b7e6945e9d97e54ec35feb96a91b20b977248896f7d42480e0033af3cad78

SHA512
ab867bc670b72c6cd3de5703dff3d7d798bbd4f655d0d9de77697d07225f4aeef8ca92bcc532ecd5979c6eb5a4facd267a95e3266b9288238a95448b10ffbcae

Download Submit
\Program Files\Badlion Client\swiftshader\libEGL.dll
MD5
2bbfbdd0fc2dec355b7cec018e527863

SHA1
e7420f8179afa200c0d91a07d5ddb0ecc98a9cd7

SHA256
573b7e6945e9d97e54ec35feb96a91b20b977248896f7d42480e0033af3cad78

SHA512
ab867bc670b72c6cd3de5703dff3d7d798bbd4f655d0d9de77697d07225f4aeef8ca92bcc532ecd5979c6eb5a4facd267a95e3266b9288238a95448b10ffbcae

Download Submit
\Program Files\Badlion Client\swiftshader\libGLESv2.dll
MD5
779ee52ba76e41fe2b5c1057241da303

SHA1
be5a423bb1518ac03c861407ff5a7e3dc0c1aef6

SHA256
7b54f227a80a36a94a46c9c8058ea87ccaa0f1906c45d858dec1d026a9fce1a1

SHA512
19687aa627f1179d2e1f53a07cc60b57453ae8b4c679cb2373d8fb79ccd79ef2d3f4855dd7108cf16ffd2e90607e7aaa219a7f2fc286164a565644268cf8c774

Download Submit
\Program Files\Badlion Client\swiftshader\libGLESv2.dll
MD5
779ee52ba76e41fe2b5c1057241da303

SHA1
be5a423bb1518ac03c861407ff5a7e3dc0c1aef6

SHA256
7b54f227a80a36a94a46c9c8058ea87ccaa0f1906c45d858dec1d026a9fce1a1

SHA512
19687aa627f1179d2e1f53a07cc60b57453ae8b4c679cb2373d8fb79ccd79ef2d3f4855dd7108cf16ffd2e90607e7aaa219a7f2fc286164a565644268cf8c774

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\INetC.dll
MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\StdUtils.dll
MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\System.dll
MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\nsDialogs.dll
MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1D91.tmp\nsis7z.dll
MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/396-111-0x0000000000000000-mapping.dmp

Download
memory/396-115-0x0000681725860000-0x0000681725861000-memory.dmp

Filesize
4KB

Download
memory/2260-105-0x0000000000000000-mapping.dmp

Download
memory/2704-101-0x00004E434FD30000-0x00004E434FD31000-memory.dmp

Filesize
4KB

Download
memory/2704-94-0x0000000000000000-mapping.dmp

Download
memory/3372-90-0x0000000000000000-mapping.dmp

Download
memory/3372-92-0x00007FFE4B400000-0x00007FFE4B401000-memory.dmp

Filesize
4KB

Download
memory/3876-24-0x000002DE05640000-0x000002DE05641000-memory.dmp

Filesize
4KB

Download