Analysis

  • max time kernel
    135s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 11:12

General

  • Target

    Badlion Client Setup 3.12.2.exe

  • Size

    130.2MB

  • MD5

    8a2c0126d77da21e6dd849e99cc55f7f

  • SHA1

    cc8559df3b55887e4da205fdcaac5dd273740d8d

  • SHA256

    e403e94b43a16fed936c5869728ee337c565f4bd80582374cfee51a7d10949e9

  • SHA512

    f04d9d3815ae6f4b9ebc19c372a11bdd19f055a34a4a269c5e5cbff71379b9c4c4901a51fa156e115a17948603e94eead2eaa9863d2f88e1f8932803510778e3

  • SSDEEP

    3145728:VAW7XW1mma/U9kGEqR5easiT2roh0SgtY0MuZns6eIMjFnfZC:OW7G1K4kgEwTwoWS7uZnsvjFnfZC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 3.12.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 3.12.2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4788
  • C:\Program Files\Badlion Client\Badlion Client.exe
    "C:\Program Files\Badlion Client\Badlion Client.exe"
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1528
  • C:\Program Files\Badlion Client\Badlion Client.exe
    "C:\Program Files\Badlion Client\Badlion Client.exe"
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Badlion Client\Badlion Client.exe

    Filesize

    134.1MB

    MD5

    5f8946681a31e505ae08bb52c759adb5

    SHA1

    332fcdeffda7aa2927f59438d84038f3d4096f8f

    SHA256

    743d87d7e8a40825d33706385b1c2adf7cb484d6b5c26ed85e8ab58a3af6e935

    SHA512

    ccb25202d72638e79a5382d997589b507310eecf7836d57ddad7cb178ddd0b0f723ce561db303de8dcda9f32baaa39f22e034f3a743cb061ab76da99b7648e46

  • C:\Program Files\Badlion Client\Badlion Client.exe

    Filesize

    134.1MB

    MD5

    5f8946681a31e505ae08bb52c759adb5

    SHA1

    332fcdeffda7aa2927f59438d84038f3d4096f8f

    SHA256

    743d87d7e8a40825d33706385b1c2adf7cb484d6b5c26ed85e8ab58a3af6e935

    SHA512

    ccb25202d72638e79a5382d997589b507310eecf7836d57ddad7cb178ddd0b0f723ce561db303de8dcda9f32baaa39f22e034f3a743cb061ab76da99b7648e46

  • C:\Program Files\Badlion Client\Badlion Client.exe

    Filesize

    83.5MB

    MD5

    7194fd37d8284687d0f9c44cca1bc01d

    SHA1

    c61a5051f41d5b06cbf75887cc2b20381351aac2

    SHA256

    67b86ae04b9da018e9899de4b1cc4763c8eba78aa873318026e0da00e676c7db

    SHA512

    0df6f7ead077704883dff0e142434ce203f37947ea1d9c7a7f93231790e752cc24e5c0a4f14070927a29012961ef1e28eb866fbfcbb7edd9497dfb18315ce044

  • C:\Program Files\Badlion Client\d3dcompiler_47.dll

    Filesize

    4.3MB

    MD5

    7641e39b7da4077084d2afe7c31032e0

    SHA1

    2256644f69435ff2fee76deb04d918083960d1eb

    SHA256

    44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

    SHA512

    8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

  • C:\Program Files\Badlion Client\ffmpeg.dll

    Filesize

    2.6MB

    MD5

    2fc7f6b0abd1af4988e30e58e8310291

    SHA1

    9d553d0ca4f13bf2ce07d850344cb1ca70bea0a6

    SHA256

    b08a720802c6dc662247e52658499ce9f87211e0d88343fb0326a1ce9abc5e8b

    SHA512

    cdcad781dae26a565fe07dec861c5f47a0861e308a275da529aadc9f4dd03778b40ba8b9e8b7cc3042b7d543cef6ec38f8e79761a7d6c5fe639872ed23d799c2

  • C:\Program Files\Badlion Client\ffmpeg.dll

    Filesize

    2.6MB

    MD5

    2fc7f6b0abd1af4988e30e58e8310291

    SHA1

    9d553d0ca4f13bf2ce07d850344cb1ca70bea0a6

    SHA256

    b08a720802c6dc662247e52658499ce9f87211e0d88343fb0326a1ce9abc5e8b

    SHA512

    cdcad781dae26a565fe07dec861c5f47a0861e308a275da529aadc9f4dd03778b40ba8b9e8b7cc3042b7d543cef6ec38f8e79761a7d6c5fe639872ed23d799c2

  • C:\Program Files\Badlion Client\ffmpeg.dll

    Filesize

    2.6MB

    MD5

    2fc7f6b0abd1af4988e30e58e8310291

    SHA1

    9d553d0ca4f13bf2ce07d850344cb1ca70bea0a6

    SHA256

    b08a720802c6dc662247e52658499ce9f87211e0d88343fb0326a1ce9abc5e8b

    SHA512

    cdcad781dae26a565fe07dec861c5f47a0861e308a275da529aadc9f4dd03778b40ba8b9e8b7cc3042b7d543cef6ec38f8e79761a7d6c5fe639872ed23d799c2

  • C:\Program Files\Badlion Client\icudtl.dat

    Filesize

    9.7MB

    MD5

    224ba45e00bbbb237b34f0facbb550bf

    SHA1

    1b0f81da88149d9c610a8edf55f8f12a87ca67de

    SHA256

    8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

    SHA512

    c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

  • C:\Program Files\Badlion Client\libEGL.dll

    Filesize

    431KB

    MD5

    1ed91477a02e0e2a64e5e9f26bcea438

    SHA1

    8058c2bd3342d8d882768188b1e5c45567a8dde9

    SHA256

    a1267343e2ff9f9603627c0520e6cdd8e4a67fba041146e8def6a43e334a4e03

    SHA512

    c80ace4df62ccde9699cafaffae290cb9ab83dc5db5fed6483aadea0f6389eaab8cc44f8cfde43aa980307a6f357d51c406fa267293135def1eee5378d0960a5

  • C:\Program Files\Badlion Client\libGLESv2.dll

    Filesize

    7.5MB

    MD5

    640a515fcd8e5d5a332c1d40c47700b0

    SHA1

    0128c9d499deb7866f3d7aae0adab69d9a8f768f

    SHA256

    927c858deb4700d3759fab436d5ba554ff4cf7be505d536ea1c673707d5ca8a1

    SHA512

    792acebb5ba329e61bc319b415ba01248dcf18c7e46695222682dbf59d179403ced15c19ae03a282dec7e622121c05844d8eae5a04a2aa1f552ebced51644e27

  • C:\Program Files\Badlion Client\native-modules\badlion_electron.dll

    Filesize

    10.6MB

    MD5

    ea7a46b5fe481b34601c746a326705d8

    SHA1

    a56ba80dff0ad01bdd929f01f363549e2855be5a

    SHA256

    c11ea3a712e6c39509ea95d9c4beb2d2fc6441541cb995e48d89499f180500dd

    SHA512

    572bde06f4bf8d6db4ccd1d924284f80db2faffb6ce1d9aefbd35d0e27dad2e5832934b99072a471bc6f6a25422525ec6563442dc06d124d6ef398cf63c18203

  • C:\Program Files\Badlion Client\native-modules\badlion_js.dll

    Filesize

    9.4MB

    MD5

    a8ba7a7c7bca606f8f8477153dcee146

    SHA1

    978e21d384550ef29d158028a934d4d10aa9832f

    SHA256

    549cdc92a73d940c1c4dce8d61d9cf5898aa420d74db51fa7afb67da55671f49

    SHA512

    a9c566d4001a678b8b4978bfb3b785c2f38e4b9d29ba8263bb9cfe8f1194d92121aa08fc2a96781cc50d3476ee1191c9ac27f89d390a046a51432c8d98ec28db

  • C:\Program Files\Badlion Client\native-modules\freetype-jni.dll

    Filesize

    723KB

    MD5

    bfca95ddc59c5ebb517ff1870952161f

    SHA1

    7c8a033e02ff80619450eef3dc33a3aee7e00ec3

    SHA256

    6accdf6a3f153b1aa0b84706aab2a363312b0c1534465d79b278ba745ad7ae69

    SHA512

    a35546981267ad637bc304060c2b7c09406f7337f4b71583b5ff8a1c0ab5af5199d39eceb7d3c9ce8aa98febd26eb7ee81a2dcc2f7765492ee7953f50a2a2ff9

  • C:\Program Files\Badlion Client\native-modules\launcher.node

    Filesize

    18.1MB

    MD5

    b5d2b95881b1958848ce0a9ad97ece79

    SHA1

    857cd63dfb86024511dfea525abace6408876bc4

    SHA256

    4c3fe2990cdd248c358280932a979e2ccc6e3f7b82dd94ae9b4bd715ff80ce95

    SHA512

    3b98e882ac9045885059823b8b8734d62bb060db32cb8f7360d6f0615727a0fee5abc07ae72a3c5ebbe5597ff21a46ce92531859d284f2491679e09c981c65ea

  • C:\Program Files\Badlion Client\native-modules\launcher.node

    Filesize

    18.1MB

    MD5

    b5d2b95881b1958848ce0a9ad97ece79

    SHA1

    857cd63dfb86024511dfea525abace6408876bc4

    SHA256

    4c3fe2990cdd248c358280932a979e2ccc6e3f7b82dd94ae9b4bd715ff80ce95

    SHA512

    3b98e882ac9045885059823b8b8734d62bb060db32cb8f7360d6f0615727a0fee5abc07ae72a3c5ebbe5597ff21a46ce92531859d284f2491679e09c981c65ea

  • C:\Program Files\Badlion Client\native-modules\launcher.node

    Filesize

    18.1MB

    MD5

    b5d2b95881b1958848ce0a9ad97ece79

    SHA1

    857cd63dfb86024511dfea525abace6408876bc4

    SHA256

    4c3fe2990cdd248c358280932a979e2ccc6e3f7b82dd94ae9b4bd715ff80ce95

    SHA512

    3b98e882ac9045885059823b8b8734d62bb060db32cb8f7360d6f0615727a0fee5abc07ae72a3c5ebbe5597ff21a46ce92531859d284f2491679e09c981c65ea

  • C:\Program Files\Badlion Client\resources\app.asar

    Filesize

    40.3MB

    MD5

    f30208e6e4f1a6c849007faac40b85f6

    SHA1

    0251be80ac4cb24c62877652c89bc6feeee8328b

    SHA256

    3610ac58ff4edde90ab7a1108ed1a277978943d3f3f9c11ec99108c89bd04c80

    SHA512

    a3fe7911fed5b4ad185585ad47cd61ba26aeeadd586e17a70aab71f4a7ec860901b5cf6b56db0267007e406b22839e66bf9f2f09bfa613948ff49da5ba758f45

  • C:\Program Files\Badlion Client\resources\roots.pem

    Filesize

    279KB

    MD5

    bec29e7471bdfd13632a88a0e1177a4e

    SHA1

    f06003491572f8c18b6c18f1857562562eb48032

    SHA256

    00598bc1f737f7cc56eb82e58137a3e65c6f5a840011db174b5b65076311270e

    SHA512

    629862482f92323a07ea5f514b36271b4d4b3b8a46f1f2d3b654c8b1113eea1cb05dd1689599c076425e4ee88c461b245d2d06eea9711b95ecb7758340bf692f

  • C:\Program Files\Badlion Client\swiftshader\libEGL.dll

    Filesize

    445KB

    MD5

    e7c8cd0bc5305a7c3c2a2c1f689744e2

    SHA1

    de20c6420bd838e13867bb37256e1b25bf365942

    SHA256

    48bfd2776bc58f386acddcdcad5161b1d7e3dc71a077cda5232b989da9081ae9

    SHA512

    2d4436470c0c4c8127717fbfd863cf61af5be4575dad8241d8062dbf7fb84e2ae517eaa11c2a59f1ad2bad49dbc05b15acea62765379643ca51acf96f48b79c0

  • C:\Program Files\Badlion Client\swiftshader\libGLESv2.dll

    Filesize

    3.0MB

    MD5

    d9a5609d8da5bd558facf2617619ad2b

    SHA1

    9debb66a376549ee795e9c049b3a685245e0a4b8

    SHA256

    da9fc78eea721b8e51599a72053c569a6ba1cce64808544c428bd295f3ef3216

    SHA512

    b461fa396bf58ac4989c61057502bd00493e920bfbc1c092a763699d660aef2b5e1aa9659000cc4fd0af0831043c18e01489c94733af06659d49fcfaac82e42d

  • C:\Program Files\Badlion Client\v8_context_snapshot.bin

    Filesize

    160KB

    MD5

    89f5b9dc2c1eccfce7c3681b8066125f

    SHA1

    273175d93ae554da7f63a6475426a6515d0c8cd1

    SHA256

    7f148fb442066d6904f774ec588e667d82f237523cf62c10fbb4240d30d2de91

    SHA512

    469a87f53b5815c5d091cc87e3845e56fe45115efba4c48efc28064283e966f9e106103038f1c13650da43e64fa6b89fd0535338ae5b4f102e75160998fd1d61

  • C:\Program Files\Badlion Client\vk_swiftshader.dll

    Filesize

    4.3MB

    MD5

    76d3589242fca16d76aff52910e72d7e

    SHA1

    a88a7495f71b718e127bdfe09e7a279bf05bfceb

    SHA256

    f1e92727d2c2ac4c3878d39ab29679f06e65594121dbd8845a86338dac06e61a

    SHA512

    95fc89f165b3235a524da6f2bd47c0086baa0f239d6c0fe8ee30a098bd72e09fc37027e0442dfbcdafa2a2ad6c1275a0a9cc4088f9d2feb41ca0d3a720e0d857

  • C:\Program Files\Badlion Client\vulkan-1.dll

    Filesize

    715KB

    MD5

    9663210f63cbf7a8d6b36a95d93dd119

    SHA1

    0fc5c50984b2c9677b8ebce4d4518c1322ce4145

    SHA256

    de7d4c0e859be24c5ae60b5dad2bbac62cb3b3812ab747ee73f4483c7a10dc88

    SHA512

    a161dfbb6e40aebec9f33bda4c81f52f456731d76bd48edc1425a2593c75591d969d3a3394a105eae386902ec822de3f9099cd07964f96d4e204f3f0ff48e631

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83FD583D6198B7A2A57B44D0AE1797F8

    Filesize

    727B

    MD5

    94bd9fe594c2dbaa18017d904fbf02fe

    SHA1

    7b9c081b2677eaa3e8d6d42b9bf2cd107589f86d

    SHA256

    4e6fb27485ca0f48b563e913c604e7d186a98c8e6e156ac87d7f11570ec1a40d

    SHA512

    188cc38fc3c040537a90cb8269d688f3207160f67455643fb270b38d0998951239d58fc81b02c0663185c824594d09fe8c315bf72449371317816e8b51435a05

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    d1b383150becc0f6b71a472dae02257a

    SHA1

    1a19c00867293d3fa435b68088a3f4035a79ddf2

    SHA256

    2b30bbcbfc17996d8c02205f000e8df3d9064323a6b954c32ecfae5b868e2ca8

    SHA512

    3d61f6c686dcaa97f8ccb13f774452cbe6c52bfc6434642b5cb7f33158e24b52234b4cf2aab94f6539142f9071324ef8ce6e9dbd6a2ca4bd707d34c10e7b3efd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

    Filesize

    1KB

    MD5

    78f2fcaa601f2fb4ebc937ba532e7549

    SHA1

    ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

    SHA256

    552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

    SHA512

    bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83FD583D6198B7A2A57B44D0AE1797F8

    Filesize

    434B

    MD5

    55de40aa0ad417607617f77a5dde082f

    SHA1

    40c372abc0fc2ee7b8dd9c9579b53fd73d62b33e

    SHA256

    6e85ee132bdf2e26311f074fffe4f36a2cff093320f06755fb5c7fe300ba077a

    SHA512

    fa8f1efbc0957c962d6cf100f2eed787ca5bc7ef0248b9c1b3a4f429b9732c6d6a8bde3f90b89050b7bc1d5e99c45fb2ab7fcc372d53537a99da8e7b6c203961

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    a56a75529795052a4971bf637f42c927

    SHA1

    27e4447233525e378158179047e38060449ed6cb

    SHA256

    abe685457f6dc0d8cad2615a2e3ecea873f5b4bad5904add68ddea4c8a4ce355

    SHA512

    2416c71141cc9842fa2aece1ffd5a41fa4eeb20c6f2a63beb7f1ef35ea02f769eee86b0876337da943d100dda5818255577dfbf0f19c8787a12fccf8bdd281e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

    Filesize

    254B

    MD5

    b2a56705326e99e632a1b7da6432fbce

    SHA1

    0ba044ec3b0a5709d2c94b293d16acf2d79c9626

    SHA256

    6d3a35d2939603a6666eb10fdcbb1aac67361d2b90263ee10556357682eb1e60

    SHA512

    e18e3e1f531754d832e25b96874bf1a0aa39b6afd54991b5788885cd06fe539ba87f0922b373e5340138e9cd5db1d8c68dbe5de1db1063985253b3355bb9330c

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\StdUtils.dll

    Filesize

    100KB

    MD5

    c6a6e03f77c313b267498515488c5740

    SHA1

    3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    SHA256

    b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    SHA512

    9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\System.dll

    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\WinShell.dll

    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\WinShell.dll

    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\WinShell.dll

    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\WinShell.dll

    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    466179e1c8ee8a1ff5e4427dbb6c4a01

    SHA1

    eb607467009074278e4bd50c7eab400e95ae48f7

    SHA256

    1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

    SHA512

    7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • C:\Users\Admin\AppData\Local\Temp\nst794C.tmp\nsis7z.dll

    Filesize

    424KB

    MD5

    80e44ce4895304c6a3a831310fbf8cd0

    SHA1

    36bd49ae21c460be5753a904b4501f1abca53508

    SHA256

    b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    SHA512

    c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

  • C:\Users\Admin\AppData\Roaming\Badlion Client\config.json

    Filesize

    871B

    MD5

    292dcb01f026b292b7194b1451609caf

    SHA1

    c7479f5eca7bfb5eafc0413204fe331b8499c0de

    SHA256

    ba7f2eeee9be5f1ad6328456eefc43a5912d36e23d6f1e5f6f6e55afc1757915

    SHA512

    1dece22a7b12dccaff8f6c436a92e61ac3b4609d1d9f112e36ebbbc81bedf26da90034d66a4cc1975f7ef45234ed56c93fb450bc2f7353743e3921f09f05650f

  • C:\Users\Admin\AppData\Roaming\Badlion Client\logs\main.log

    Filesize

    540B

    MD5

    9822e862284ff316ecd1e7cdd301582f

    SHA1

    4c56cad03db2b3f0dfd5b8e3d8af889ed1502d85

    SHA256

    76bd66206e36b41d53040cbbd2dce82d7a2b75b5c6471c8fa37c9ac1940cec37

    SHA512

    10c15678ab9f9ef52fc8abd1d3ddc74aa6ac9191846aae4b96f549500a999d517422f4f4d3a2db6c05cd4d59465405f9f92e35f5159698fdbeb6cf0257c55fc3

  • C:\Users\Admin\AppData\Roaming\Badlion Client\versions.dat

    Filesize

    72KB

    MD5

    af41266dfcbc58c0c78a459b5e31b759

    SHA1

    b72ddda7abce4745dbfa73cf5bc07e879cbc74cf

    SHA256

    e369f038ff4dfb6c8bf5d07294d0d80ee0482dfa297ca1bad9a227f83b19c49e

    SHA512

    1fc74e1035b75aa1bad10c12200b3187d0257ff12b85c255e78c9821fca8d1ed51e9bd76c0f0aa4b505cdc5e72908e36a3c97dfffd37b0633e70ada9122e1f00

  • memory/1528-186-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-190-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-193-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-164-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-159-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-166-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-195-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-188-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1528-192-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-167-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-189-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-191-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-187-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-194-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-165-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB

  • memory/1760-158-0x00007FFC5B240000-0x00007FFC5DAF6000-memory.dmp

    Filesize

    40.7MB