Malware Analysis Report

2025-01-02 08:02

Sample ID 240509-n75pcabc73
Target Badlion Client Setup 4.0.1.exe
SHA256 20d91430397028cb83296e7a41598414c9a4ef272afba435196d231a8cbd0b67
Tags
privateloader discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20d91430397028cb83296e7a41598414c9a4ef272afba435196d231a8cbd0b67

Threat Level: Known bad

The file Badlion Client Setup 4.0.1.exe was found to be: Known bad.

Malicious Activity Summary

privateloader discovery execution

Privateloader family

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 12:05

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20231129-en

Max time kernel

1558s

Max time network

1561s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 220

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240221-en

Max time kernel

1563s

Max time network

1570s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1556s

Max time network

1570s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:50

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1571s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processenvironment-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2972 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2972 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processenvironment-l1-1-0.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2972 -s 80

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240220-en

Max time kernel

1561s

Max time network

1563s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240221-en

Max time kernel

1566s

Max time network

1572s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240215-en

Max time kernel

1565s

Max time network

1570s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240221-en

Max time kernel

1799s

Max time network

1693s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 1992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 1992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2228 wrote to memory of 2476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6949758,0x7fef6949768,0x7fef6949778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3004 --field-trial-handle=1356,i,5562080028626298302,17927714373126404736,131072 /prefetch:8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

\??\pipe\crashpad_2228_FHMPWNFRKGTKFNTS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 38b42948758f6743a553e33a5ce0dca1
SHA1 4fccaba0f3285dca04e341b3a4585d4302e211fe
SHA256 630b7e58157695b7fe18eed69197a1d8fcd413f29e0e7be390fab49e3a46498d
SHA512 ffcea5c1748788379caedd9ac0c37aae2a5a966abe212f6fdf5f9c352acac1d70323796efb5ff2ac0c23600804cdf7eb9e6a2eac9d1114a94cd38e9bdc9fc2b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4dc5eea20ef6caa7131c4cbd6d7f42d2
SHA1 4d63c39ecddd76fc05478c9eba89e05790b02595
SHA256 7a929a3ce34431e81512746c8e2a5c4b000f638ccabec038a66d6fe6e7679075
SHA512 ec4ce5e8dc0ade831790dc377b20ff1e157becf34d1105a58754273ccb93a440fd4d528fc15ab2261f079426763f70a4a72384f1d4e4fd76ee2bbb3862b57cac

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1563s

Max time network

1573s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:43

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1569s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-heap-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:46

Platform

win7-20240215-en

Max time kernel

1563s

Max time network

1572s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-interlocked-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1652 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1652 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-interlocked-l1-1-0.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1652 -s 80

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:49

Platform

win7-20240220-en

Max time kernel

1565s

Max time network

1573s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-memory-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-memory-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1564s

Max time network

1575s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240419-en

Max time kernel

1560s

Max time network

1572s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:48

Platform

win7-20240419-en

Max time kernel

1562s

Max time network

1573s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-localization-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-localization-l1-2-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240221-en

Max time kernel

1558s

Max time network

1565s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processthreads-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-processthreads-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240220-en

Max time kernel

1559s

Max time network

1562s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 240

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240220-en

Max time kernel

1559s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Badlion Client.exe" C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\URL Protocol C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Badlion Client.exe" C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\shell\open\command C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\shell C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\shell\open C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\discord-418076578333851669\ = "URL:Run game 418076578333851669 protocol" C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe
PID 1620 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe
PID 1620 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe
PID 1620 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe
PID 1620 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe
PID 1620 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe"

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=gpu-process --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --mojo-platform-channel-handle=2064 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=gpu-process --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1768 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1760,16425787240865697280,2347743643298192813,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Badlion Client" --mojo-platform-channel-handle=2648 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NonInteractive -InputFormat None -Command "Get-AuthenticodeSignature 'C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\temp-Badlion Client Setup 4.2.0.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }"

C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe

"C:\Users\Admin\AppData\Local\@badlionnative-desktop-updater\pending\Badlion Client Setup 4.2.0.exe" --updated /S --force-run

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Badlion Client.exe" | %SYSTEMROOT%\System32\find.exe "Badlion Client.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Badlion Client.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "Badlion Client.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im "Badlion Client.exe" /fi "PID ne 3548" /fi "USERNAME eq %USERNAME%"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Badlion Client.exe" /fi "PID ne 3548" /fi "USERNAME eq Admin"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Badlion Client.exe" | %SYSTEMROOT%\System32\find.exe "Badlion Client.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Badlion Client.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "Badlion Client.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /f /im "Badlion Client.exe" /fi "PID ne 3548" /fi "USERNAME eq %USERNAME%"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "Badlion Client.exe" /fi "PID ne 3548" /fi "USERNAME eq Admin"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Badlion Client.exe" | %SYSTEMROOT%\System32\find.exe "Badlion Client.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Badlion Client.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "Badlion Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 launchermessenger.badlion.net udp
US 54.86.71.117:443 launchermessenger.badlion.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 cdn.rollbar.com udp
GB 18.244.114.70:443 cdn.rollbar.com tcp
GB 18.244.114.70:443 cdn.rollbar.com tcp
US 8.8.8.8:53 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 owlmessenger.badlion.net udp
US 104.16.147.116:443 owlmessenger.badlion.net tcp
US 104.16.147.116:443 owlmessenger.badlion.net tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 assets.badlion.net udp
US 104.16.148.116:443 assets.badlion.net tcp
US 104.16.148.116:443 assets.badlion.net tcp
US 104.16.147.116:443 assets.badlion.net tcp
US 104.16.147.116:443 assets.badlion.net udp
US 8.8.8.8:53 client-updates.badlion.net udp
GB 216.58.201.110:443 redirector.gvt1.com tcp
US 104.16.148.116:443 client-updates.badlion.net tcp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp
US 104.16.148.116:443 client-updates.badlion.net udp
US 104.16.147.116:443 client-updates.badlion.net tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 download.microsoft.com udp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
US 8.8.8.8:53 download.microsoft.com udp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp
SE 23.34.233.106:80 download.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2BC4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2CA1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2DC0.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\main.log

MD5 d25465a87d060a97e298a784137449be
SHA1 cf769c982ec20bc52a7bc1f3319a5fb5f748387f
SHA256 8e93f8a812ba135cef7111dc622a74251f41207a9940fb967943c23e3f6f7c5f
SHA512 404ac17766171d55c5dc89596752ec73ceaa360dd7082854ec53573b16e6e077b4e98c3da99de8217562528ba438f2eed49ede21e4bebde2d72287f8dc7904ee

C:\Windows\system32\drivers\etc\hosts

MD5 53316bc0c42b9d65743709021f1d03c7
SHA1 44cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256 600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA512 9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

C:\Users\Admin\AppData\Roaming\Badlion Client\config.json

MD5 62d5d73ee869a0a2654d8fd554aaf742
SHA1 be1d557c26633ffd5edcb5caf37b2a09f47c6667
SHA256 9ef970b76a91f607002afb164aa7f01d85e20290cf242e4adafb7f6026900b59
SHA512 8706794249e1bd7fcaa3e7e25c0b976a069b02abc877a0fdf9fce408a12b4aa5c151e5e3f75fc81185f8fef84a0b9c5a908b84f60102ac9aa03aec908a094550

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\main.log

MD5 52a69811d3911242ccea74f86b62e50b
SHA1 05c8078b3ca1f1a902e56a459cc360293e5c0a49
SHA256 c62b91b391bf287ad0aeefc74b5f8b6548e1d0d9eb63487c9e5dc982585f228d
SHA512 6a4f9aa038605af0080aada6c8341815271f184f29c1498f17fd1e5074cb48160aa561f2d5cc0d30783b661cb6216643b3b50d8350adf3be2782a14ede1af782

memory/3688-1172-0x0000000076E30000-0x0000000076E31000-memory.dmp

memory/3688-1140-0x0000000000060000-0x0000000000061000-memory.dmp

C:\Users\Admin\AppData\Roaming\Badlion Client\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bc37a191be574c74a4165c14b443031
SHA1 5fd321c7b1f2cdb53c455671029bd9c5f685094b
SHA256 944363c65b5c67713c16e1a3668142146c98df5a1a770d26db7ad96f5be04326
SHA512 bca3d4573ce57a11f8d7acca35ef359fe472eebc5d814bd7510121d428198cdbd33cb90681190dafa4147da2a4f6e2b560ec91b9eeb9dc9b0382d51bed2ae9e8

C:\Users\Admin\AppData\Roaming\Badlion Client\config.json

MD5 d2da35e826a1e6af049f99048b4fb6ec
SHA1 ad261dccdbf7c44cdcc00a24bcd1bb4fa95da29e
SHA256 21eaa56d4ca1308f21bb534c446d5b0e56410efe28d08fd8780b75a02222d227
SHA512 d85f391144bc05992ab86569e03fe12bedee427e2b1ed7be4eb55a3a428e6bca118b23e9c567fc381b6329f60e67413cb35a06126c268b2063b8fa0d89d95162

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 225b348b62b5e8dc511e6563eedcde7d
SHA1 2b8887c8153e7989634fdca9b99a8afb2c1f79c7
SHA256 01cd6271d2c096ac75b95af02179bf0a577a7a0b8e8f3e488d7409ac01934e12
SHA512 a47d9c58bfcb13feb19b5e4d92976b1dbe3fa98340ae80e0c9839a0e62ae5b87c7a4ff71fdf67e6d76b45fc2cfa45a0d0698a4a743be39b932ddd26194a18bd6

C:\Users\Admin\AppData\Roaming\Badlion Client\config.json.tmp-5256744368684ab8

MD5 ffb98039924220fb33837a443cdc5f51
SHA1 4731fbc7a581df4e0abc248aebc158fb377213a1
SHA256 9a41ec4fbdfa1329a945cc71da90f33605f5b550c8a5ffb7de31f1dd04b095ba
SHA512 e0e1011075b3da237776210fe81511177d093e8e64f3f241ca16f299a3e7198d7431b9a1a705a42073d8524ff77c7d09f0d5094f5cec689c4ba197e7dcf9b70c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c036341c1a048a0e508e987df950da5d
SHA1 006865f217d679b5951d5337a5d743bd8983abce
SHA256 c40eee02379c77d96d175463bb9b41deac854e13d9be6e1b4d871b59e905ec58
SHA512 3b82c9b297e0ee0b12526f93011f06c92e9c70ad97ee1a6f3dabc70157df882dbd6446084b947e1ed94c389f6555608bf163b13b4680a0a362fff6a739e3a5cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 056114e009ec699f27eb7eac21334ae2
SHA1 38323f16c027819ea7dbb30acae006c841a5ef5e
SHA256 11c13573cfbdf74ed8e5ecf303ac70d7c9370ec2dc702e23811729518466cd86
SHA512 104a2fa7e9e3ec2978c66c768e4c14a9c97349b48d829a7e803e36930875b92e07c1a8e281956dd28358c2ace350eefd6b9728b9055b81e411e66aedc9bd701f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 dd88f8a3e762ff16a13c17f1304a68c3
SHA1 ede8ff2f6b44ddce80fbcff23026798528ea72c3
SHA256 53585f7149422f8e6470123296119d0d3e9b662d442d8baf125e153aa70b8101
SHA512 807362365878561b7ec9886985b6c85c92b2a8e97ccf941c0eaff2d15175d452b1da441b8243f4b32b3c36cc0ded83b0b166820ff84268bb6b98fb23dc163c6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1462ecb6765fe9afdfc5e71cc6e84e60
SHA1 9af226965b3d5e2b5f4458197e645a1edf99dd96
SHA256 92946f7fc449c20a5a79afb1771c080ce6fa6f93e2c3507f9e3b88e13cef1c72
SHA512 19539c6cc889b9e5a08877bba00a04eed17e891356450ec4a5e5c3cde35027aee402bc1a25a8a1289dd0e03e0e45a402bb66b69f2087b44ba914268b47e77e8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1db780f858faab18da716539f2435227
SHA1 3444a97dd2cad465ae2f1ca9eaed4b73134331c0
SHA256 368e105c83c01045b7cc6e909626e2df5048fdb7c038466fc726bb2c643de2a4
SHA512 6da7e873aaf4f33767698d2f109a28148416509a215e1d4b00f54d9b088b4a7957d77a6167f0c5e779e75c65a89db66af862b40999e71ab8b57e8c25f77eef8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27ab10d8168683d1f139c87da27e628f
SHA1 91efc6524b1b5af9c30ee7865859d8225bf2064b
SHA256 63b38d5e14f70e0d9e5568f87ef617833e43d15ace94318fcaacee13c1d17836
SHA512 966d7ea31e733de3a4f4741b0915c30ca880173fddabfbfc789f8ffad4c73ef24cebdcd8da148cfa368e1c733803487ba7c52c05c6d12d173b4ab63bdd6ffc43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2197bcb234298c7f3d58e34fa69029a8
SHA1 84ceba1881f67dc769b4c0b41cba016de3447a49
SHA256 ae3b1d7cd025f41098baa67b6eeaa85ff79ca7e10d0600258b6cf7afd6a540d9
SHA512 cec187030c684ccedaf1915f1a85c494e2a03c9e63990c91f59b3048b85588d83a6d169c43f7e11ba05a632697811514bb8b4c18fb4520443f1c5ef1a0bcabd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0514465c66d070c846ab1962b0d34db6
SHA1 6dee2f9b6fb5e8b213de0ad86489e1681caedf38
SHA256 9be929922a5ee98349eef6f5ff62d9564e8061f625600d05ccb035c6b827d334
SHA512 31048224ec9a0ad980871c652efca1be7ed2cb30d2627e16dba19fafe06f27709e90ec33ed8044f3c97b981de6725ecdc63f8c081d4040fe50b6173a2685925f

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\main.log

MD5 35c685399da519fff1dd2da2eea03e4e
SHA1 52b473dc790ffe57ecb1261993040b54c6ef1654
SHA256 1d252605d29d40ec2961ee4ccf18bce8854d7fbac71ec4d0d0012a0edbc60153
SHA512 714aef66cfa54be304c3ef3f3086c07728ff7bdc38b8fe4115793a4544e874e43c90b9c9f4ca9a068111bdb6e64a84198ebce4800bd15114951b08675e5a18e9

C:\Users\Admin\AppData\Roaming\Badlion Client\0c6a5e91-e7da-4fcc-a8b2-22ca935840fb.tmp

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\6998bcf3-996b-44aa-aa89-369f95da00dd.tmp

MD5 d7f843e6a28af50e926102d1a66bdea4
SHA1 3ed8689b9f3551295ad650e9d5fe570103bf8811
SHA256 d5539b87d1ed08128e83c952789d9fa156283c16fd571d8c4b2d76f99c48887d
SHA512 2b2d11ee97f0d32323f328baf11bb99566e82013631dd30ced104967088d8b38f47492c5fca4a66c6d55fc67a2011bac725f98cfe0d1c4c88b75a0ec331c8c13

memory/3400-2339-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/3400-2340-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Badlion Client\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\Badlion Client\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\Badlion Client\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Roaming\Badlion Client\.updaterId

MD5 1fb274f5c30282342936fe4f0af190b3
SHA1 04ad50fe35101f35837cabdc4e08a8ce902f0f50
SHA256 a13d03d7a5a90a81eec69ca5d19e92f7f8c15c57096c46f6e36696036e211073
SHA512 fb67fb8029435de87fa887014382413ef571c568bfd3f2d6aaa73feba1ff2ec83607915d8ecd088679b0d6eab8494a413e5bd7b5512626b5cbd214de30853ec9

C:\Users\Admin\AppData\Roaming\Badlion Client\en-US-9-0.bdic

MD5 a78ad14e77147e7de3647e61964c0335
SHA1 cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA256 0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512 dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

C:\Users\Admin\AppData\Roaming\Badlion Client\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Badlion Client\versions.dat

MD5 f6290118c4ede2f15bcb188c720a613b
SHA1 5e06b55d85c6a3af9b6383db755512b4ac6b2004
SHA256 9ce6500ac068c39adf1578618f5b1a611d36093bc1e1fe5cdcea79fc9b3045c3
SHA512 07ecdcbbef71c15528abbbac3ec62096ef4bc278123e404eaa8cf546dc291dcae0c04dca6e430545fccee74c51c54ae8ad5b3af81a2ecbb807d191b6c243fb76

C:\Users\Admin\AppData\Roaming\Badlion Client\Session Storage\LOG

MD5 4402bb812a8a5f5515e8d8562579f2ce
SHA1 047cfd6976464586d202c8434532127c4023cac3
SHA256 3f4105e3a0d7c129ba16bf5380aef2ea467d59694d86b9c56a9160addf7d8942
SHA512 1647e14b52fe81b25104895a99867e7c63ffabaef8e5959a8e6a8560f18fcf0028a4e00e861532be8d8ed7ead585c0e9f7e77d51e382f2f266a105afac6359a0

C:\Users\Admin\AppData\Roaming\Badlion Client\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\renderer.log

MD5 5a240e1bb8180e3aa0ac412e83dc0aa4
SHA1 d6f853c1125851b24fe643864b3a2d4f48d1b403
SHA256 41e3709bbb4e17b8c1529cddff6178f472913af2a407ad9ff82a08db34a98d3b
SHA512 00648c2a459918922e146d198d502ad96903ed2a180a88a958df55f25cd85407563425b7494c2e62241d023208002a83828c4c463376af7ccc7cf215e885070e

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\main.log

MD5 6e90ff7b26ae8d2d6613d88f4d96fb08
SHA1 9d7ce3767bea7b73bd8a79b0df87b4dd1cfde839
SHA256 a0a6ab9c94ca19a56cbed886529cef31db1a67e460229167612e3390fe43eb26
SHA512 f56d2c62b17db85343fe50706bc02eb1be21eb0aac2fe29f4fb0e98c02d0e72e9ab5e1ae4525417d341d8ec4a059a5eec11bcf1cb6cb71d510bcd06950664926

C:\Users\Admin\AppData\Roaming\Badlion Client\logs\launcher\launcher-2024-05-09-12h-12m-20s.log

MD5 34b468ddb2af1399ac0bb49f3082448e
SHA1 21a82a9cacfd4ab91495314f27f9737f41ed20d6
SHA256 d0a7a7fd353f71f9d3a983ad950969f1acf22add39daf5f656b493d3d02aae26
SHA512 5942d6cb980065e0f356e266ab557805be917761ead0b2dfb0454fcb1c7021fdf2ec847bc16332bd637300653ed7ef82e697d71c6b531d5fba6c91196ad54df1

C:\Users\Admin\AppData\Roaming\Badlion Client\Local Storage\leveldb\LOG

MD5 77ba18b34b6a5b99c52187c3c5280e62
SHA1 7969408a9b9c5c8454aea75513f08ef43503e2e0
SHA256 be203cdd6168bab31fb5935ccd7e0b1e1aca71caad1650d894eb357a7458a2c9
SHA512 560ecadb688c084a5b07d536b8cefa3063ea9a70d2d41a9c7740a359ea7550e671040fb5d0306e16a021de06584b77c119341e996f2d029a7f7be27c635888c4

C:\Users\Admin\AppData\Roaming\Badlion Client\Local State

MD5 e4ff42c3330b5598f5271f99380fbfeb
SHA1 bacbc8048aa7f005fb6d46573a1ff0747c3d84ac
SHA256 cc95511320f9eab2976b3bf8db161c61b89551cce8d342cc8098d55bccd605d4
SHA512 3bc475bae3d1827fbe7e8ce83a00549e84d90c894cdceb3aedb459628181dacf14222832dd0d21f943d18be20bccb524bad95c468c60ed10abb0a1802de3dc6b

C:\Users\Admin\AppData\Roaming\Badlion Client\GPUCache\index

MD5 eab0b63597996b16935181b2a46a7d6b
SHA1 4e842dd7671db1c04e8c431c6e8513537cd57af0
SHA256 e6d3b5dea0b91d7fe9e9e4bd6545de617ad66a2d40dedd1e3478004a95400b52
SHA512 7b106b802dc6ca163475cc9205024c76f0d6f2de4ba1a0b42fec453c0b4484a153b8653287d70e61a17ee39cb1c454daa8314d3f4fab1ce9d214d3537b366411

C:\Users\Admin\AppData\Roaming\Badlion Client\GPUCache\data_1

MD5 ad7baf597a3fe60c679616e5acd4e140
SHA1 0077703630e46964ac318af227f03aff1ec028d7
SHA256 7c6f76d01910884bf7a1266a2d208ddb03f38076b3787c0e5d0bf7684a7ab899
SHA512 e07397f2cb8e60c0980628a4b02b66eb323772fedf4438f753ea92d1980e58c2110c1acc6e3bd8aab15d42eeefd8e553e969186817a5275054c124cc9583e2a2

C:\Users\Admin\AppData\Roaming\Badlion Client\FontLookupTableCache\font_unique_name_table.pb

MD5 5d6cc2e52416a5c83e28c6d60de90615
SHA1 b5460409df661341ac2ef71a7bbe8342be28ca0d
SHA256 d56228a78e0a31e0fb28541d9dde2cf10913d3b7ef854bccb11a017af89f2607
SHA512 c486eb59ababbf71dcf12be4ae4fa9fbbea06be31cf0e9e143fda1434b64665caf8aadc013f29bc7e4e48147df87a4abbad183595c36d50ec21f32bd4568cc7b

C:\Users\Admin\AppData\Roaming\Badlion Client\Cookies-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Badlion Client\Cookies

MD5 b9ee75b6e293e9bf51498d4c29f6ea3a
SHA1 4c546cb278b06a4f1fe798ccb5b59169224e455d
SHA256 dcb408efd8ea604a772143f69b04db5ff09cd61d86d4a0e1d60d88887377093f
SHA512 b1e95b27dfe320180eed4b5c6cf8f3d58c66994f5e46b39c8114dedf352138208d26296286fc3c89781464a0a7e9d23ea372d8340eebc932225018e64c8f7a75

C:\Users\Admin\AppData\Roaming\Badlion Client\Session Storage\000003.log

MD5 7e3bc92bea6fc75e378e85cb59274369
SHA1 d9692fb7c5b6024ae1fed1b70b9f650f6d6074a3
SHA256 5eecd4a070a71ffef15fbbf8f497f269721770e4ad570b4d2f344531366291c8
SHA512 1f3bd4f15d5b9989dd38ef9317dd2c0da34abb142bfac5366d60aebb2a83d55706988db9c6812598af38f66a5d0b6c95485c4196f5dabf05b7e31265ef8a2c21

C:\Users\Admin\AppData\Roaming\Badlion Client\Code Cache\wasm\index-dir\the-real-index

MD5 b740e332644495b5fc6291e0da73d679
SHA1 70a605d0d185d9d7f825103a71b9cc5ed62fa9f5
SHA256 766257ca231acde5670c1a5b32fa9fc5b0e651f33ee108d8e32f7ca43eef3a74
SHA512 575b01b7f3a7518a258a007cd00682508cd92fe6b7b74fe82b439454c28b98b119d125ec4bf73fba06468dff28b57a2a97bef50f2869d57ca11ed6ab365d39a5

C:\Users\Admin\AppData\Roaming\Badlion Client\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\lz4-java.license.txt

MD5 0ba5044c64ef53cb0189c9546081e228
SHA1 c8bc7df08db9dd3b39c2c2259a163a36cf2f6808
SHA256 49bbe9114e49214df2ccc324cb3ac8d1d1aa1c3a0947f94c286765e86647b32e
SHA512 a7ce8c7f21c031e4e6d037f4eabe8b200b8f1470731c05ea86028171f2964310dadc5def814d2d65164fbd23d720ecfd4d479ff5e269e519c787b4db96c7724f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\notoseriftc.font.license.txt

MD5 bec6f772ed2e38634da53c388c30437d
SHA1 43513d1f6a1329962106efc212457e1d6ef9e980
SHA256 7f18ec1ebb6b50e3ed0f74b2c61f25b8d7cd69e43f4de66e991bcfd3c419a8bb
SHA512 de6c45f891db9add2d253939f35739f3c246ab93f6bde97232ecf32fadcf0afcadea4aa632e44df4ddc0e3b80e1db669f4769e9d59a04a4e38888b530fb050f6

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-console-l1-1-0.dll

MD5 3463d82d90601b441cf024c92abe4acc
SHA1 eac8fdafccbc1beb17386552922770bfe12ec1eb
SHA256 49ac9f317d0adfc3761d6ff0d32844be70cc78e2af18319c9a2e2ec2a44d672e
SHA512 ff4fe61c7dc5f8eb7012cc4867d7212cbf965ec786dfdfa8c74ecad8c582c4ac1107aa2876e5f11066908fbd07c1b353dc67060c28199a7e21d57adbdddac977

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-datetime-l1-1-0.dll

MD5 ac3c4cafa028297da5037781f1156220
SHA1 937c2b11c7fe4effc16e67af716563aee2419a0f
SHA256 0f0cec83da06f06e9c42ffded72fa69c51efed881def2b4b7b88274bc1bf3d40
SHA512 a2d1135f497e3831f14369978ae6a5ff74106d9d4ea0407548b6c336a1082bddd196424b292c799ce60270182c13e148971039cf29241e76203b069ebf7bb72b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 2a3c5cbe313f4105dce8a79f533e5959
SHA1 26e6768280c83217ccbe36f3a405381defec12b9
SHA256 79cb8a8781feb448fe051e90ccaf3d6ecdfac12c1ad4bba2730aa1f0a229c31e
SHA512 e24ba69254b445a62add1d58269ee99841c36049f639671a311bfc0f60d965e6a8d79a67375eb0d3ee3be8cf998f182ff03291f0709ae2155bbee924708dd8c2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-file-l2-1-0.dll

MD5 72d542226f067dae07562fd093b0f5f0
SHA1 c0f7f85753bb351c51dd8e36ca2366a3b24c73ba
SHA256 e8e3550084cf30e16b16216266bc73b07c1a05bbfd94ee3f645122d3d167d7e6
SHA512 2fbf32b38852def53891a73b9b33f33de96ca09102baa8c37f02d1b3d5076b26d2a32f2e79aab1009dc5b2464abf50c956c797ba4321fd37ea13900753a1d182

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-file-l1-2-0.dll

MD5 285e3257c5a12d3384cd3f5a3ae941b2
SHA1 c05f6a72b73bc7ec8409ed42ccd947f501da0166
SHA256 8355bf70788c00fb1a17bc4160bcdc6930fa219b85473e08138efc10136d90eb
SHA512 f1ee0689b02e6a6e95940c1b3c2cc6902f3e04db44f4d767a1e68a890b7b3733b28c1d86f1f361f0db8b1ee955f5f5bca86b758b8f2e93d94b5bc4d469187df5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-heap-l1-1-0.dll

MD5 d54e0da17090c6911db3fd0770faf91e
SHA1 5538096f53b4160ef2e91987d57d2da0ddb9b6ba
SHA256 17415ecd7f34def148a91defe99155b71c8048e253315b2d24d499b99207f618
SHA512 680142c329f6ab44cfeb7eb1572f296918866c9ca3ac9e66ae13ef38d79dadac9bf367e6dc6655c7e404cb6b243f3518639acd9cbcd9a37da5812823d43886d3

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-localization-l1-2-0.dll

MD5 55902b92bbbca7a2d11a946297f583e6
SHA1 b6158f009d98a98ed2e56d377f9c4b6323b852fc
SHA256 2dea4ae5df0f7daa37e26dd0f9232f867884f57e850aa85062594b54f3a81e98
SHA512 85e0df8a390260e4e0cc0a9372dfd3c55464486812926775a5f9f5767157b88783e03701b1f1c28f34e822b21ea7436c3e8270df58f8de3ec1b15f68b633f4fd

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 d6db1a6b5087a82e766fe7e9f818c135
SHA1 d786b2d8ab10edf0e893fcfbf52b03bceb15f53a
SHA256 f9457d0ddfa864e4bb383759bd7bbae961098055216b0b7d7d40c11084a1561d
SHA512 6118ed237839a49567340aca7a76d8ea366537942da060d4afc0399a88603f7f02a93c061be4475f35599d3cab8233f3925a491f4aa094bfbecd2adc5d3e65f1

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-interlocked-l1-1-0.dll

MD5 2ca477f1799fc97d6bd05437bdfd0017
SHA1 31feb0b42e9237cddc5e47c3f4a076de86ca600e
SHA256 e81e0d9b2b09524e5790617547bb8bd8ef3dacdd001bd19057c4f8943d996227
SHA512 c0c991341619548e6944a78a090e1dd942140342d8cb77f41ba559b56034dc46a3ac731d2e2e67a7de1f6a65e26ca0c6a3eb358124a03eab55c2b5d061b64717

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-memory-l1-1-0.dll

MD5 8fc176a3a6550f90e73d6da8445e8780
SHA1 5d249243678a789ce56037d0d1b36420d97dce06
SHA256 65bd14bfc1f14c35e345412ba5e9642e7f6c286f95de014c0f3af100e88b4467
SHA512 808daa3369df6704151b67f246eed90cc32d9110653faf06e973b97900003c8b7dc26095abf420d5c078e9546699c4b3debaf410819cd6060d3feb481576eefa

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 ef80685a812d9c252de35fc9b38bad11
SHA1 c641bf0f41d0617b25aa20d63b033236ad3133ac
SHA256 e17aa51c5520a623dd530889838c54ddea91e06e235003833e019095f5458ad0
SHA512 431ea4ae368b2cf55542ad614cca8e24fa2cecf0c5163bddc3742412a6e43f53ee69d7cfd1931e59eae9ee8671598ea35d0936850e6b733af14a4a5ecbd79437

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 27a8f9e71a2f2d134c55de62fad6cf0e
SHA1 b60944dbf9a50a166b71fbc58305c3d559c4157f
SHA256 a319a14b76d8d67272128461f1cf53924dc2759ac72a76571f8b31e2f737553d
SHA512 3904895242acccec14feea4b7bda654a0eca3ef716df560764ca28f97eaeed10e94f5a0d46a633fa0671682188e4bc7b99b13649354bc26a88ca8211ee36307a

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-handle-l1-1-0.dll

MD5 3b620d81c727a8aba6dc6895af695d35
SHA1 21641bc6c802d0ada3121d14c2a8de4e708c74bc
SHA256 9aa764023ddb501050f43d1af0ff87f592ed14c4f022ba58270c3315386141b0
SHA512 54af2248017db94ef81a5c4ba6496127f1e305e292bd165563929dd88ad756b15edb5f0e2e3da367581c0c9cd92e04699e28bcac12130299949b13267414d228

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-file-l1-1-0.dll

MD5 4215700161720c767e725b1f7fc358ab
SHA1 6e31fa39775c1c6c60fe8869761c31148b0a8019
SHA256 38e535e9a79cd72e3f5e3c0ec9c97a18e86d480a504ea6c85854a6f70b302c3a
SHA512 8c93f4021544ffafa37665efcbfa2c4d23742573e695766c637c9449a39af5ea0de114c821a5c50b886ed1ab0f0a2be0fdda164884d73f7488402cfa2137e5b6

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-debug-l1-1-0.dll

MD5 8c0531639f58f79b5b67b52edebb01bd
SHA1 866f3ca8819440e0ba67eb935e688509f86ce1e3
SHA256 a20dc11ab10769b38cafb701c2d08810c8aa61350f0b33ae7838ff5c26edf956
SHA512 d6ddcb814d7f507df03bd5fb378eae3bf30f31d0cbb41136382469297033965763dc20e68dc50108eeb5fb5996d167cf21b29dbdc0ea163521607e1cc75f7d9a

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-processthreads-l1-1-0.dll

MD5 ed69bc0f310c5ce427e25973a0a52c31
SHA1 0bd1683418c952490f6a791a044b5840f5dc90b5
SHA256 6bac5963da125b3e314beaef5903d37316e162eb92e7c0f0b9946044eb0bde01
SHA512 4fe23992c6ea37a2f88cd2e3519559b08cb302f51f35b1524816a6e29e1412c2e6e1a214fff6d6ff50d0f7b410591abd57fd7a87c987f18106c6ec44d991666b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-profile-l1-1-0.dll

MD5 46361d1f7b60b86f128f4e23c95cc3e6
SHA1 8c621d8dc4ec4fe3a9f40d25ba3dc26a19a02994
SHA256 978419fea728f20a4df8046e75b880343cd425548f8bc38e8c0a6e8c315c4310
SHA512 25f033816b7dbd387134fbf72f5c6ee351bec480a4975659702b0912d204486826e64612b94646056d97111612fa8a322547aef8755469f8a6edc45fea534322

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d2eeb9f6789213bfda7fe6bcb2a1540a
SHA1 c330267c8abd56c04204deee9aabd566268daf97
SHA256 0ec2b6ee5e8ee5ee22b810795d097dd769ef054eb394355eecac1a1fdc18c971
SHA512 7795e972f46ec84cb1709354a40684593947cbf6b4df373cd823134a0b2deec7e5dc738a74c13c2accb74c467892d9a2375a96ab85147ae42fadc627a0f7e2cf

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 210b0178e7aca6b9444e2d10ac6ee054
SHA1 2ea3c9d780f6c3dc60b6247b3fb0dd5a8dc638f3
SHA256 7857b0c9c6517102ae5e047d7fe1cb0f85424f1ea01fcdc66afdc231f3127906
SHA512 3b3d10262bbca6559b2223be60f0d61a77ada9c147b167641de58b418634963bcdfc37fb4b11cf65517f5a3e29adb785e83c379a056c4992ffa59a468ec393f2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-string-l1-1-0.dll

MD5 7f8e52ff5a64d2d471413e288a591866
SHA1 cefad6219c916307e0bf7ef1382512c2cd4c2d5f
SHA256 952b0ef3b3cc8d15c91e4e6605d49ea6bcee1459f465b99dd22decbce69012fb
SHA512 7e9025f0eee30552e24425c0d7fe441264a905469755f2aa94863d68f8d53da654a83b4146695d0320f5ad3538a2fd716619baf615d9b29d8767ef6296088253

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-string-l1-1-0.dll

MD5 88b5f9bc871438973ef12782e0c8d12f
SHA1 d327208b4f26c1c6f0e9df50ecb22a89b426465d
SHA256 4691510b2bc2ba15b638a0d1765c2a8826a8b9fdbe3737989d8fea072fe7c20b
SHA512 d4de343a88c9933af67c4599d308f31332ca7a3ea0428fbad2d60e2fa2165eca9ea56410437be1154c551e7263dd6a5773e6f7c4dc5b6952e8b767a3c5b16597

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-stdio-l1-1-0.dll

MD5 dec83f473e43ee78e92a4b682a9a7904
SHA1 ce5e0479c78ad6ffa7d765479a7e1a7157eca4a3
SHA256 a5c05a8394c5aa71441ac18e945170a755d1f1ff141e614cdd92dc5737426a5b
SHA512 60bbd86035bbf3f80c17a01fb44ea5af5c84584a8aa5f34a7e0abf989ccccf8d40bab4d44af364c8ccf62ce4e21df0ed2c51bb70e817b2bf9c5319dbfd4100d3

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-runtime-l1-1-0.dll

MD5 6856722db8c9e3dbb7fc62938ad2cf1e
SHA1 6d1aa306d7793916adb30e9aac451b2e43516abe
SHA256 3d077c3cfa0a54f6f58814deee22d3dcf4bcaad44ae405b8d31552a9afabc086
SHA512 87a3c82af000fc1cfee5f12f01f077c2c87638245b2784e8827c587985f8c0014685d0d15a1498a01dcfcfe717cfbb9ee64344ae7a78aa75bdb65e2a0aef07cd

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-utility-l1-1-0.dll

MD5 9975d1ae7b84b373d9095d757172ec08
SHA1 302edb92e0a6ee621379528fbef9dfcc249b9285
SHA256 8d3df297a7da678446dc9689f64dfbff0478cfd2da168180ff41c16e1344e584
SHA512 fb71a43887ec9675a4e42f2f810d33f6ec4726de5723c935961952f43d45982e5d1156e4d97d4c0c9ac8440fa186b13e1c6387c425b5a774218d6917efbe41d9

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-time-l1-1-0.dll

MD5 f862bd9516845b31973ba98e9f1288b3
SHA1 ada580fc93b4f5a86db92e1d612293ccc21c72f9
SHA256 72d31abee96fb3ee1d90afcf11fdc54ceba131bbb912b994761f32cd7cfc3ee1
SHA512 bb442aab30bb0d8797586eaafa53a6deaaaff19d41342b9fb828c87fc468d96953f8ed1123ace4c4d371f9eed91c2bf2c42b1d8ca92bbd0a89bc5a27a877a15e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-process-l1-1-0.dll

MD5 90d42fdf308dfd771797dd41585d3baf
SHA1 daea1f05092de97ea558de14b4e112ad48b77726
SHA256 404ff7454e8dd3d766e433def1780a265ddc87a07981d223d241a528cc78c0fe
SHA512 e8f35f6087b9601d8a46b2534634f24a2841ff2cde9f6b7bc10326cf2197e98bae9c6ddcb2e53e8f81a984019b72080d1e826731fb6d7c28fdb47373c1e474f5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-private-l1-1-0.dll

MD5 3d2b4445b9fafaa0e13ae0e126be2669
SHA1 3b24c99469ef9a35bf720e711a0b022f2403be22
SHA256 6bc27ea87e05b365c74b093f0256d1acf85113ba356ad187886d8adc07526398
SHA512 9641d0d9470abc256f44c9d3881a42a674b41992dc25b7bd048a9e2b8d3523de9626460a9f73f2907f73e0be80219c913d33c9684664d6bd6642c06029e5c44e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 3e4803f97b89adbaa575b45aac0dd4b8
SHA1 d810ed1486f86494828a8cd96f774881a629b652
SHA256 2fb9611a4227227d30bc9b8f6d389cd12bc9b38b325d23675fb737470bde27da
SHA512 b9824a29e712ae65b27a4ecc68bad7f127306e7c2267e1ca9704c09e15cc6faa0aa7649118d169813172557b6375b72f8e88a587e79bc97f1825b8cd4c1c2dd2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-math-l1-1-0.dll

MD5 514a74d1050e7bdcbb1f422fb571c351
SHA1 5a82976e2456fe3f215316a85301460c6af389d7
SHA256 62e97230bbe85c0e2930d16cadf830acdbf9f2bccedd3d51fa8ee0c5102ac63a
SHA512 f2b19fe5fc4f95ec3a1b0d76e8e6767234c83a8b8a08ec6a2ba9b3620c08f67132fb7629235aee27ec172d6efa5260209e005564467abe3ec06f1a7756d21da0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-locale-l1-1-0.dll

MD5 21f5271a151394a654b2f1c44fc44049
SHA1 1d2f98700ee87fc747b230b908fea133b730bf0a
SHA256 a7a987527a2f7ad4474cc5be04e5bbc10375e072573b13a2cf3fe705789bf822
SHA512 cc46e3bdcd25f2d72802581955ee69af97781b19a40a51fb318206ca6916f188f40dd94a7a5e6bc2c4c2ce211229d03e50729b168ed771e52cee188d0c30638d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-heap-l1-1-0.dll

MD5 dedf6460cb6fc8229b3e889d1b32f75e
SHA1 f47e35654cb90ed4505ba49a92b2fdc661c0fe8a
SHA256 bae857fe8e162640032aa8d7a88217a021810d305bc58b8f27409155f2299adb
SHA512 b1ce0119c2eb87ee36fe566477d14d317d01465319b72f7afd2f83a88f82591afb6f795eef76b20c0b13060530f67a4dc07923fd2f61922fdea06973c70f8352

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 7dbc1ca1f1103cd971a67709d5203dbd
SHA1 717e689b96a5d029558e7cb663d5c7cda840b780
SHA256 88a6dc7c08725b447dd1b7061990977246dc62b7282dfb50fa36659627079fb1
SHA512 ec58c7bb26f669f5b90731ab8c787b3b4e4131d7a9450dfae4d74ef24541a51c98ee8cc71dd4744a242dfde2f75feb216727daccb18bf745e2539546fef746d0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-environment-l1-1-0.dll

MD5 89abe10555d85e9bd183fae2c37d7aaa
SHA1 05c72b53f7d7b0667ff6cb14255e5c6453f1f35a
SHA256 d524f5aff8a3deaf37899187fed40b821c5e79251b99d0a8571b62ad87adffb2
SHA512 7b9c38e5270c401acb1b51ccf82ff0249671c4df905c31bc934d8d0b15a6eae22d3d82381199e4d61ac717bbe72726bd2f9b6c4b2fc930b39ec2c31d9fb1147d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-convert-l1-1-0.dll

MD5 66a41a8156a7f9cae4a7977cb8084fa7
SHA1 4c72b0d8c90daf993fa0371269af04703a81fe4d
SHA256 a454bd7a8fb18d19e3264855ec7ade9820b54fab31f9528bf1abc8cfe32e064b
SHA512 989ec1a0deff20bc9b3099a21bf9d45bf821e94eabfc1b18ba4ece1689d0cbcf83b6206bcf64530a55aac1d4165a54c395f8db17fe5d68778082dfb1db4f0d10

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-crt-conio-l1-1-0.dll

MD5 d2de2615f123ce2bed3332d505a99385
SHA1 9f2ea75348020d271222fff7984c8ef21aee460e
SHA256 da36262bd3865024a6ec9726b8fcd0764ef3ddafe21387314c0bbb89a478e4e9
SHA512 a5e99e724a847c2193ce052dbedf0cd19a8765e3561ec028cd28e5972c8f004e257de0d5dd3870d41213a6cc84492ad488bd05106d2b5d3aa19f808eec820d51

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-util-l1-1-0.dll

MD5 e0b524ff31e7c651eee7d83b1c7cc2d5
SHA1 d29f001b843e452cae91a2d01ef338373fb24763
SHA256 b4afba280abaf5dd28d92d452b958e440c88a26ab7359a3200876a35775a33b6
SHA512 4d3dfbcefb85b8d6ef874cfdf04594ea4d6c58ae7de544588a9cf8646897aaf9b46bdccfe9e6f7cd87d00a58d5c595973493fa6cd6d82266b1a27736d4e15ded

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-timezone-l1-1-0.dll

MD5 f2d0493794b45c6a2629fc9c5c80f832
SHA1 12460ab8f625ecd0e0a02b4fa82061c2ff4644b8
SHA256 8c2d7b0dca0702b8f1870c9c404f41e00624132b239deb7917096dfed8ca1507
SHA512 4f44ea443413c3709c1521de0b9dc5c05ef9a4f853062e44658d7bc54663115afc1f04927797a5406b388cd5c9e226c9fea1f73f0c288999105d9db42fa257e2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 f58fd490561921c154c31c05bbb63a3e
SHA1 d5f009e7cbb070b35ed81acd68710716bf971b7a
SHA256 bc7203c7c0c539fd225701e39f1e430367376cd580af52cdf9dff680046027ff
SHA512 8389e2834559681accdc3ded3a8be06028e5e3fb8d62cafd218c545dff052604bd0b0c14a4956eeb7653522c05b45d05d072e44c4f125b0e5567d3a23318e8ae

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-synch-l1-2-0.dll

MD5 8f469c5b261e003ed991f570aea8f29f
SHA1 848046907a02d605d53a31748d8dcca18d11259b
SHA256 ae460b343b6fad12d26feeee14e68efb97e59686dbd2cb22ab228619508944c6
SHA512 f393b8c9ef4cbd6f660093016fd5a3267b5afaf4c26262f2fc3c52351c697ccc38744e530f779707f802398aa01a7eaec191497949d2c1fa5b34b8d33153beea

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\api-ms-win-core-synch-l1-1-0.dll

MD5 599025b219fb4f70b3f93eb0d4d12bb1
SHA1 c1ceab162231476cfa9aa35a54400f3d959369bb
SHA256 6defa74d4bf10f95815d965547065b5af5fc4154d93757735ebbe6aeca570ba8
SHA512 1b4e6af508ac9d353b0e2d02344181ea57ee654f505e04d3b6a7d758fbc0a72875d72ec185c138e69e1d7dfee3459e96c64cf6a2436db1c7425748556f99b922

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\chrome_100_percent.pak

MD5 0fd0a948532d8c353c7227ae69ed7800
SHA1 c6679bfb70a212b6bc570cbdf3685946f8f9464c
SHA256 69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf
SHA512 0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\concrt140.dll

MD5 14b7a99127ca18df05dd1f5be3ac0245
SHA1 991891bb1ea603a002941696697f48cfe52cf94b
SHA256 511aba3d00b9925e7bc64e2132d77a76c1fd9e9d200ec0ef864b7a0f00c68995
SHA512 80f1a6cd377e62c96979fb4cf50d70e3005623c8debdb3c55dd27e5bae9dd46328d18066e59501ecac13ee96533f3b5189fcc93b4aadaf376ef6a2455ea7eff5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\chrome_200_percent.pak

MD5 1014a2ee8ee705c5a1a56cda9a8e72ee
SHA1 5492561fb293955f30e95a5f3413a14bca512c30
SHA256 ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57
SHA512 ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\ffmpeg.dll

MD5 2fc7f6b0abd1af4988e30e58e8310291
SHA1 9d553d0ca4f13bf2ce07d850344cb1ca70bea0a6
SHA256 b08a720802c6dc662247e52658499ce9f87211e0d88343fb0326a1ce9abc5e8b
SHA512 cdcad781dae26a565fe07dec861c5f47a0861e308a275da529aadc9f4dd03778b40ba8b9e8b7cc3042b7d543cef6ec38f8e79761a7d6c5fe639872ed23d799c2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\discord-rpc.dll

MD5 5882c37b79bae47a0d090006564edb22
SHA1 ac7bbbdb1d34eb763d8db4ef7875a50f700e9d48
SHA256 5cc2e504800cf4ed2f4781364f661ea22349658ddc391b5d54195e573109d87b
SHA512 d4a6a1a36842dd1c8b2162168807b990e0d491a908e11b52ebf11174a67f818b131607c2122dbb484f5d946418a05a1a84d42e1468bef5c98ec3fcff7d225ccd

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libEGL.dll

MD5 1ed91477a02e0e2a64e5e9f26bcea438
SHA1 8058c2bd3342d8d882768188b1e5c45567a8dde9
SHA256 a1267343e2ff9f9603627c0520e6cdd8e4a67fba041146e8def6a43e334a4e03
SHA512 c80ace4df62ccde9699cafaffae290cb9ab83dc5db5fed6483aadea0f6389eaab8cc44f8cfde43aa980307a6f357d51c406fa267293135def1eee5378d0960a5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\vcruntime140.dll

MD5 edf9d5c18111d82cf10ec99f6afa6b47
SHA1 d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256 d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512 bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\VMProtectSDK64.dll

MD5 6540242ff58d08c8849268cf305445b8
SHA1 ba0d0c8875ed96f137dcb28aeff873373b994eee
SHA256 889553cce491767b38df153b567b6da682709925dd7a1c23f12c6d53a9fb18c2
SHA512 073e44196cd0c4cdb1cb5004cca59da80e09b97c70b83f212344ec7b262f1a3a4ebdbdf059d9bdbc228545b49a269a8363b1db9180ff6565c94797b19cd3c515

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\zlib.dll

MD5 d48c270acab962aac5d222abee92c39f
SHA1 b23f9b747d859856fcad94652ebd07284fbd33c4
SHA256 809dd3e4ff98abf54aeac27cec2e0c194550bffd2f55ddfe725ea109306ae49c
SHA512 32a83196ec83bcaaabd83923409ac98201785a3915293187718d61d2cc6f8b51b10e0c7c1ce765524a8f800a3bb52dcbed430d143fb3357511644b6b666d8ac1

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\vulkan-1.dll

MD5 9663210f63cbf7a8d6b36a95d93dd119
SHA1 0fc5c50984b2c9677b8ebce4d4518c1322ce4145
SHA256 de7d4c0e859be24c5ae60b5dad2bbac62cb3b3812ab747ee73f4483c7a10dc88
SHA512 a161dfbb6e40aebec9f33bda4c81f52f456731d76bd48edc1425a2593c75591d969d3a3394a105eae386902ec822de3f9099cd07964f96d4e204f3f0ff48e631

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\VMProtectSDK32.dll

MD5 17011601817dd00866b681d4a0bd90f2
SHA1 d6ad7087f54182b47a9a6776fab90cb03e95f80c
SHA256 6ff20283e407a0f2829e4fa6def121cd63d715dd6582847ae2d6fc379ac40927
SHA512 1e41669c920ac65fea5fd0e5704430dd371893155d5f33674ad6eec011ec16bf4969b01e2b9b28c561d131a032b599e0479931221819c677140d1b272d121abb

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\vk_swiftshader.dll

MD5 76d3589242fca16d76aff52910e72d7e
SHA1 a88a7495f71b718e127bdfe09e7a279bf05bfceb
SHA256 f1e92727d2c2ac4c3878d39ab29679f06e65594121dbd8845a86338dac06e61a
SHA512 95fc89f165b3235a524da6f2bd47c0086baa0f239d6c0fe8ee30a098bd72e09fc37027e0442dfbcdafa2a2ad6c1275a0a9cc4088f9d2feb41ca0d3a720e0d857

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\vccorlib140.dll

MD5 3d8e0ebbb613cbe80320a61259d18514
SHA1 a69747866b33159ee14eecc9ac19a0ad1f1db4e5
SHA256 8a442077df17ac412be9072a91e4b2b39a69f1aed189034d34fdd79956d3d6b6
SHA512 83c72e2db25b86de925ad9711a03943fc4801f77d6950a23917898e877faa3276cc2c5e8605cc0132e48c1bf66cc45b172578f77d075746ac38880257e579660

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\v8_context_snapshot.bin

MD5 89f5b9dc2c1eccfce7c3681b8066125f
SHA1 273175d93ae554da7f63a6475426a6515d0c8cd1
SHA256 7f148fb442066d6904f774ec588e667d82f237523cf62c10fbb4240d30d2de91
SHA512 469a87f53b5815c5d091cc87e3845e56fe45115efba4c48efc28064283e966f9e106103038f1c13650da43e64fa6b89fd0535338ae5b4f102e75160998fd1d61

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\row_resize.cur

MD5 70618f41c70238453a7d876bac5ab501
SHA1 bbf033428d8cf562ac3347440848b1b3ed1b65a2
SHA256 241ca59e728f9faaa3ac9c626f44f8387a04699ec1bc468ecdae04c53ae2df04
SHA512 513dfa3e15b887f4e785da9dbe04cff591a4ae3bc6d5f4b14d7dbfd3695221f6448b0d67132dbf80b1e36d9fbc2d245df23c1135d4dfa33edca3706d23bc89a4

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libs\lz4-java-1.7.1.jar

MD5 d56d86823662a663a4d614dd5e117eff
SHA1 c4d931ef8ad2c9c35d65b231a33e61428472d0da
SHA256 f1167a45d4b8002053670ef6991ca66d1bab9dcc03e4ef00183674d2f3fb9cac
SHA512 ff48daeca92c5a7657aa9c7fe41c5ae75a5fa0aad05c655bacb64a40acfe93ffd3d40bef16544614ce8a38db3e1df177023101773f6f7c1d32031413270e42d2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\chromium.license.txt

MD5 8694b4a605dcd105b40d081ad09f0f46
SHA1 6666d31977554cf9d1558cbc63c339e8b07e3c94
SHA256 73392d01c89eff27363d32973ba9fdce354b4bd82f90192bf8773174e358538a
SHA512 17c5eb20d00902789d172c78379cc80b0c77696f3d2e076af79a056d537e2a0d68a0066a8fd132b3b7b20186dba509b1833128c2f082f2fb97058070336baad6

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\lunatriuscore.license.txt

MD5 ee99c1f26cd4e6a2bda84ac34b9ff861
SHA1 0327523304d63b6addb96ba18abb6c47a3fd684c
SHA256 7a1d05e596d50dfabc0d3e206861cb778252dedb87b48b9dc7dd9cda24f5dc22
SHA512 14774897b95813736654e850fb328e7fc0a19c076417fda35a2a57e284b54fbde6619fe6a1ba953300bb54ea77ca90fa93fac4a03914027bcf186d30f645230a

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\da.pak

MD5 42628b87e74b0a3a7cbce510f2ef674f
SHA1 c9fc502eac895690f4bd0bd3cd47b72819bfc342
SHA256 450184b07e707cc80f7f7b331cd7d95aeb10c22e6936fb50d438de24c9dc3ba5
SHA512 ad60a366e4ea7050aef7cb6cd7c0d99fb9f37f7ff88f93a13fbdb21eb1c53cbc33cb28c284a14d7a44da0ceeef1fe9e693be0716ec268c6da0a674db00194a25

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\sk.pak

MD5 9ce4e3abe9d948f6a89759d0ab188dba
SHA1 447e5c8803d0284c69ffb990ac0060adf93f4d25
SHA256 5638f5285ae0c68e3a9eb09d6adb6d2eb3f9e087cc149c4a247fb9765a8ff6e2
SHA512 78970073eee16097113f8f009abb43d9317cf3096640077cf9efb8139c92aeacba8ddab5dd948ff285732356625f3167d5c35701ff37b250fce251baa39569e0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\native-modules\launcher.node

MD5 a2cb408235c0d92526e20b6432587d6e
SHA1 aec2b9942857fdb1ff45c699f7e198a7cb72cc2f
SHA256 ebaffc8d4fb76a02ff54f993cfa5d5e90c84e18b597621adbcc51fb165532a77
SHA512 c5a36201488c5356e4efb9bda73985af74edbad158e8faf79e683f4244a8bbe8516a52a5f273bfb3208b5fe16329cb6236c1c8efb64ca882d81258aa23b5f8ff

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\native-modules\freetype-jni.dll

MD5 f6e10c16e1b5a475bb168bb4b32f8b07
SHA1 363c51396bcff7216f56bb299349d5151f118f20
SHA256 234af7bd598f9104663f824cb65d8ff4a08c33e68173f166bbbb6498de091638
SHA512 8044efc568f19e7e2392f0e8961a82c4a650534aceb9e0b91a64b6e38b24b495d2ff830aabe3efc59e05e0814184d92878d93ad49a65f8debb4f7bdaec0a91fa

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\native-modules\badlion_js.dll

MD5 ab83489339535b6fcbad1b70ddcade23
SHA1 511d0cd7d8a1c153a774c919d8bb5b943a5fe009
SHA256 2ae0528920d1c27337ecfed3719cb294dbdbcee1b6b1fb30aac1403272610d3a
SHA512 107c734f23c2eaf2214016e881f0d09ce2cd52f5ca24b376d05562cc4366352c3bc04d03fcea2c1fd9b507f3139f898cd33867ebbea11377f9a6ad5c124bd675

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 d9a5609d8da5bd558facf2617619ad2b
SHA1 9debb66a376549ee795e9c049b3a685245e0a4b8
SHA256 da9fc78eea721b8e51599a72053c569a6ba1cce64808544c428bd295f3ef3216
SHA512 b461fa396bf58ac4989c61057502bd00493e920bfbc1c092a763699d660aef2b5e1aa9659000cc4fd0af0831043c18e01489c94733af06659d49fcfaac82e42d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\swiftshader\libEGL.dll

MD5 e7c8cd0bc5305a7c3c2a2c1f689744e2
SHA1 de20c6420bd838e13867bb37256e1b25bf365942
SHA256 48bfd2776bc58f386acddcdcad5161b1d7e3dc71a077cda5232b989da9081ae9
SHA512 2d4436470c0c4c8127717fbfd863cf61af5be4575dad8241d8062dbf7fb84e2ae517eaa11c2a59f1ad2bad49dbc05b15acea62765379643ca51acf96f48b79c0

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources\roots.pem

MD5 bec29e7471bdfd13632a88a0e1177a4e
SHA1 f06003491572f8c18b6c18f1857562562eb48032
SHA256 00598bc1f737f7cc56eb82e58137a3e65c6f5a840011db174b5b65076311270e
SHA512 629862482f92323a07ea5f514b36271b4d4b3b8a46f1f2d3b654c8b1113eea1cb05dd1689599c076425e4ee88c461b245d2d06eea9711b95ecb7758340bf692f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources\elevate.exe

MD5 59b5872248146319a464c52af7f136a4
SHA1 d6ac14ce2d602fc3bb3970554b1eece84c3f913e
SHA256 50fae753983844e20b11f3a8033ec22fbe1168170c98045ea5c6134c8050828e
SHA512 1ddb200db06453593c9e3fa819c906db6405e3920f8c703f5871a2c65cb7b17f773a90aeffc3cc7d76567739ed985dd77752d6cb9928dc05a2f737f97b1f5502

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources\debug-log4j2.xml

MD5 dd7150b869964d8a892cdd584948dc55
SHA1 f8053aba6ad32932509c37f9d06fff2af011ce52
SHA256 c96f78d1ca05337800a323610ef458796b5b625bd248d40c6f9a6c324509f4ba
SHA512 a31659ef05c55b0df2cde4eb7f3ba5e6f7152af9bdc9e70155469259bd05275a497e751aaa315c7fe2357e6a4c1fa0c42a84a7e4a7ff517cc76ea1d32aa383ab

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources\app.asar

MD5 ff482968da25d2526453b2ce0230c73f
SHA1 932c1c3e772de162331fb4626827d8f9dcb799db
SHA256 cc42e22451c3f348f04fd055e96721d36ff6d6b35b6b44d1cc4dfb35e5b17dc6
SHA512 e07cc5db3977d7c814f41dea66e21582764318bf99dd1484b0024a5060b4351b68864fc193cc4a8279ff07bc4f91ea80cbc240f7d36ee59b550175db38479e90

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources\app-update.yml

MD5 a85c6f31bef49be88b0a8846daf72dd1
SHA1 1563fbe30087d902674e1e6d4ad5d2a94f559fb4
SHA256 959ea658d5b7f99fc2e9c8e990f98081e019f5917316ab6c3e9e3e81e4d73c88
SHA512 87f6436610c0519daa2580bb08d1a4ca5be5c0a803b4b9db4fd797bedacb28a78d52a9891e891b1c5efa7b09da470206506ce207b61be76025f7b99a34bdf2e3

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\native-modules\badlion_electron.dll

MD5 77c88caf62ccf357470d630d9fa4dd7d
SHA1 1e04dfac643ab7284c529d60ab5be68be172d98e
SHA256 9bdd94dc645cb5044536dfbd3a5fc51535a63e32104895bc395b2dfdbc4962e7
SHA512 74506a6a0ed1cb356a4342e5c06244023fa6712d1b4fda178d48c431e2aeb4098c5fd539c431cc859c6560340ffddfc9c2bfe3dca6a27956611ef3189755065e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\zh-TW.pak

MD5 3d230011248333ed6cee72f667c8df45
SHA1 4114f307a31516bb6309fa9fc2572722b8d93d24
SHA256 b1a56725808412e48a499a534ccfd7e02c361f007a5b1cf063a11d6a308cc9e1
SHA512 442f56c0df77cfdd730b89b9c1e086f17665aae0c222a7ffda418bcddd18f9ab96236fe7cc558ab9f87c31a50d78d50157b1e2d3b4c175b6c8ac85e053157f9c

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\zh-CN.pak

MD5 376ef5a6f076a9757f58d7b10526eb73
SHA1 9b5d3f5084990d67c8a8541cd8d7fd15ec424e0e
SHA256 f720baddbffa45c3a0852de11c5049ec95a3b841db45c91362064c80e7d6aaa6
SHA512 e089213cac8ead755c938069a1f00cf2a8467db8f809b50a6933eff9825a9f1cfd775186c8b5c9b1f598813c9eee654036b47b6814ba1f58d7e447a87511b21c

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\vi.pak

MD5 a01c81f3bd56d52c205ce6742dfe52c7
SHA1 3d325a2885ca11cdf69d17d66fe5048bb0c8bf25
SHA256 8a44b3afd24cf18ff88ca06a33ed8accf548692b457b013e20f49ac5045aa96f
SHA512 e348d9b1fd0df16f711a76de1daccf8425529787e5160c61207aff903ca3389f0c56b185283452d0af36ead503322b93b02deb28b9f72ed85d157adcaeedc503

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\uk.pak

MD5 6f2f1b073ccef426c7eb49362123f2d0
SHA1 048921ad0cba17256e9838257d9f47969cdf6172
SHA256 57d93d9ed2974f7f0995e63f4c7af361c05a8ec3e9e25b796328d3e0b2a5545f
SHA512 cc0e5a7098eb0b590f4d4a6ffa531250af9a2c6c6c25765f572f3130b7bb7d669f2737d7d8b70de48293ec1ff9c5dc5dac94058f3d8e431a7c24a5795906e5b0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\tr.pak

MD5 a38eea92c514716b8ab019ab792bf541
SHA1 cae203c3ed63807d4f2d89333540556b5e92e161
SHA256 54bc687a851cb3227cc3a937b229009c0af8fb25a1900b7fe71f6e6d58111ffd
SHA512 835e47d550097ea4ae3717c0cc5023ba14bfa7524ed5cf361e21011976afbcae1410061e46089e25bca467c63d9b0208cd18ba1ec606da02c5b430fb1aba409d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\th.pak

MD5 687a80e1cb637003c3e5f05d3f4b89b4
SHA1 1dfdc6cfa02fd1671cf39094ad4b93109bef48f6
SHA256 daabec4c467127faab67c690f9dd11beb0e2c432434a20f2f79318816ecc7654
SHA512 30fc3cbfe3daf369f9baf7fa4c287f62fdd6ef3b6363cf2dd88e45667313cc00317b1a52f77e904381ee4be1f7f5c2f73c2a6467c116a1210b36f8287beee99d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\te.pak

MD5 b5e9289d02b4963d292bbb4210e9ab5d
SHA1 48382ab36b77cbec280833f587450270b5080a85
SHA256 6cba41edf887a8a2d84c2c1c696c562ad63ce8a105ef8574a1a27b294a211dc9
SHA512 eaf3889b21cc73ba3913448ef10765611e91325ddc781216769b4f8c4486897aa8429dcfe511b7505a17877012063ebd41fb4645102448fdbbed834d001f0912

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ta.pak

MD5 7503d3994d48911a38370095f5c83ec8
SHA1 a98917d5de0cc237d226ad64792fc9840bec0a0a
SHA256 5eecb28f30fc5c08b5878ebec2ee565a73c91ea0198ed85a622a0d7c58a3ad33
SHA512 d0d3e085cfd8f8f1ca776597d209c5d3dcbfb81297ec79201def4dc395526954103da7e8e8b3a4335490b3fadf1063f29d552843eac0933a9f1ab050c8eb2ab0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\sw.pak

MD5 0dad65bd01e92ec4001c8377a3f6900a
SHA1 91353a816b6b1d0aa5bf5342b8f2bd430da57286
SHA256 702d3d102308bd1e50698578e09ecac7fe33d625afac04db88905f83baf10892
SHA512 98a9c3dcb03627e8e7cf7edbb41078d9c53e9787f28208fe3640805fdcc2bc751b5cdda00c2d796d6c947e26f7c3a401fc5506ee8648346f28227442ca831949

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\sv.pak

MD5 03154d7a3c69ec91714c799b86267a1d
SHA1 8671e9672002c58581488416f2320005140adedf
SHA256 3fba4e60d606c0f466df1cd2736ff51d7f882505fb21880a396deec06cdd945b
SHA512 0ac0d61f593f47597880d327d8dccbc00e8e5eddeb8beb8945628b7e91cb0b2496bbb68ff7f11e677cec479f41a4e8c4d2fd66301d5f6e5245dbde49b39eb4d9

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\sr.pak

MD5 b2555a29076995ccf01580f0f1b2f766
SHA1 284ed665f078620afdd6c7d074a6f9e26dbef1dd
SHA256 6eab9ba7e66ed290369b2f5d7b1efe7ef38fea2063f7c939e983008ec2692bd0
SHA512 a36e20bab44400828f6769c178f6340a5f7ec8dcff72a0eb513c9efc257a715027e9d562a4ae3e68d8112d40f9ed8401c165ad205b1e9c4325077e5d1df04feb

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\sl.pak

MD5 7a75fa0fd3ddd471cdf9b15d3b3860ca
SHA1 f07e3e136768501e69e76529011003bd45fcc0a4
SHA256 d34eeb1ff37cb90bf8c427b955f4349fbdc5eee4879141058d8d7bc76185a959
SHA512 e3f181728e9d925a826d3eeb275ad3f1aafd3aa98072977b515e05671bc4703aabf7dbac2e031201fe016d0024440d4d1d8c238b3f20c5f52b21e13dfcd5f620

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ru.pak

MD5 12836eeb93367830b3b88b404449a3e7
SHA1 2e2f66213fcb0ce5dc170753b8c11f9d96917d1c
SHA256 f815b9cde0449c05949a9003f08254801cdcc8d9e5209d01af3136009b0c0caf
SHA512 7f71bd8ba800029495279c199aa99b96f075ca95055d512486c27a4bb1728c7312eeeeba09cf23259e7d6539f1c76467ac98e75b482de764375dd639e95333a8

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ro.pak

MD5 06a36fa95702b38e749568037634828e
SHA1 9c584a9b7a0446fbc44bf5fecab71ab1312a592f
SHA256 833f661f135311ce8187cbc487c55178872430c678148d4084893cc7bb95823b
SHA512 33d24d85a4f4582676558ab049a6c1cabd482666c2847e941dd388b80b2ec62ce27175cd0e3ec176d1236a32e714e85138d3e6da291172e62d18acf3e3603076

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\pt-PT.pak

MD5 553594ab0e163c6375ebe75524095dec
SHA1 199a9e040d884a443e0ac6a2c7ed3fe914dc3fa5
SHA256 bf2cccdd3fa33d8c3b0fd145dda1d7f10d60645f0108e19f6220b43ce01d05df
SHA512 30cdb1401884bb87438d221834f70b384744babc474bccffefdb031808505b24adab34c039240b6cc8fa2a330613ccd32ffe1c28191c18c5ef402e86037a7ec0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\pt-BR.pak

MD5 7f150a17a11d43e395f571dd23951d88
SHA1 f8b8d6f89f63d92f04156f2b44b36b6045fd3723
SHA256 72e1d3120d5f52f8485eeb2f0be4298d5af4d6f62a4d14e7d6ae2b635d89c0d9
SHA512 de39bb0dd9c8f948a67b9397789989aa900fa90249854181993cebea00717d45ba29ce56eb48b996b396e2b2236b580509a4ba127a190ed10d9ac3b91011ee2f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\pl.pak

MD5 31200d5726b3d1cfbe9ac3bc7138a389
SHA1 e82f0300046e7cc9ffa13223c11cbb94d62c0dc6
SHA256 74c96e5308732e4ce800de37cf677d16ba05385b2af1c087819095c49b4074e3
SHA512 8ad600725c9eb97a73293b63bf15a853d2e12bb6cec638a6e0f4060610486d3eb9e9bd5c10e607e569e6b631ae09b8d9df46cebc8bb962cec3adc0d63dc2f48f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\nl.pak

MD5 f1210067dc72e8c82444b2ad9a3f7897
SHA1 3cf8c6fcb93a5f79fe6190aa0551d673887125da
SHA256 d26f3e7f39231a9acd60285989ab5bda54039611ba2ae04ca5f79bc3195d4aa9
SHA512 9339a285fc7db00b9a755d09a17b224ec15e3eddcfa60c5efbcebe556aff277cb6daa23a346a50bd1fdcf274a172c985fd74dcd362d635738f1734ffb466c00d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\nb.pak

MD5 bc1983b1c86badb361fe07031a93fa48
SHA1 5bd14d7d7a335dd6457377fc0eaed07a56c369e6
SHA256 229d8e46784f401eff51e12b10db88f4aa6ed62bc01271f830013b653807103d
SHA512 fc9fce048283f24b0eb8b37a4fa5f3223e927cd68568817e5561d9ef4224a35d899b5e0b8b311b57cd50922970c6cbaabd070377d704f65fb061463ffed6a765

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ms.pak

MD5 53e8b7262db4c5b04ba5b39c07eddb32
SHA1 9cb8946966547630cee42de04eb8604e6bb5af86
SHA256 45750905e13f94936534dcec30ced984001cbbba4f6fd4db0d31d2f470acdb2a
SHA512 c71e2bd191c5ec6194e02f1c08aae008c57b292405e4c291832bdfeda656a5cb4a547f606d87d3f618afcf731b4d6730f22c0e99093f312a0a004e5d9fec7d11

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\mr.pak

MD5 abcc39abc488cdbf73e44f53d74b15af
SHA1 982f12328342eddbacfbe45be577d839568c96e0
SHA256 5e19425a057db47aaa1bbcada3406f916f80b230b1cdf2b224bd37b1074d3d54
SHA512 7cdc4b00a33079c4724912b715614ab691395c45004aa7c2c265139e47af6785aa3309d9b8541387f56fbccba8043baca9925189133fc64265d385e5625b1f89

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ml.pak

MD5 7dabd95b96d90662432026c0a9ae1c22
SHA1 49eb49428d642bd906aed9b0b69870a843326efd
SHA256 50e5033485a6d2bcbdfc7eecd7ac26fe790a84642d9ff2c1e77fe976b18bf9a5
SHA512 6a51f19543cd2e963bc83bb8a7753ccc3dc5a835f1e242338713dc01346f8716cef9c3304a618e7fd3db2224da6d0678959ff87007891ff4ead216ab452993cf

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\lv.pak

MD5 e21a8a96d9f17e1f9e3ede2cb66eea9b
SHA1 e3f456b5d238ce2095e7a51a4250fe26c361bfdc
SHA256 1da6722966d120bbc418c66068bb22b12911d11be94232786bed1a8ae5ce5090
SHA512 f0b4fedb0bced810a63e00321ee17ddc20b340e9ad458d6cd8598e4f6f0c26307421c0417def39add0e9df3991a910f67f54e8bd93fe7770e47e83e675c46f40

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\lt.pak

MD5 6e6993270327064cad2ff0784f20585a
SHA1 924a2ce4fffee99f29cbee875cd5abab2e814888
SHA256 848c219486a434ef18edde0f16be9bec475e2d7626e9d8064acf25d793fde434
SHA512 f6a21975836a64a9dbeb76005c63a19d450a3e9d1c9381fc7da23cb8a96a3e33da204ebb4a192e608154dc71e13c555fcf97e0fd262681f2fec54fe0f8ac6dec

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ko.pak

MD5 95239fdef6e852df2d2e9d52dd99b622
SHA1 360be5e62ac4573ee1a6bfa7effbe245c039862d
SHA256 f77338aa0fe86f36cae03bd13c488bdd320c3abda336c8f464ee2b8a0b17e7ae
SHA512 0b09790b0fc21bb838ed6fcbfe2bb7dc41a7ab8d424a5057fc3bfb701be2b414e4a8f55980cdf4be116679c21116d24349d7b058f134fb959c7a040946594b0d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\kn.pak

MD5 acab21f3fafc58f1f42016f33d032158
SHA1 682f11e3c282724093179c85a7df7d0992495cd4
SHA256 8031157fc7ee856546fb3551e1f54e36899656447c2bf3c6d48e69bf57137b7f
SHA512 d96dfbcd561b10848e874d1b93a8f3326f2bcf4e06389facc0352edfb4a5b4ffae688d19b2eff6b0b8f125f1a1b449cae18352a61014986d5b3b354fc1bf6c64

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ja.pak

MD5 f8dcd5f1433d83464b44265449de812c
SHA1 47763205f105e19cadafdeb1cdec6f45001f2c58
SHA256 f932ba21d0857c5c92dd3d24e49f3fcc4f9423fe1e2180fe26f9c0bf669c8c3b
SHA512 76b8c4154f7de55e0ad958cd122ec650f3289bf4f92c03e45e6e03b6467d09387115d5894f19c1b108869a2ee02ce2d476cb2c943191e0fc42ad0183478a7eb8

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\it.pak

MD5 812115ccf85cb84b2ea167a16e16587b
SHA1 317e50a1c4c7d8c46554822b43a81a0d8237dfd6
SHA256 52c78a10a5ec39bc046b594f4d89a311a26c6a29e475824dc3fb1a1ba4ac9f37
SHA512 5fd4b625910bf06055eb8fed311284b1347f85c769f8c3e7a57d4d7d73e20576e873dd2f579b8aaf494ad4ee4885b6850060d4893d2ce43e82872161c93f3982

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\id.pak

MD5 d0517c1bf9a89e06ed2b510b9408e578
SHA1 71494250010ed09b55f3879488d4566808a8398b
SHA256 19a6aa1cd288ae30461ac43cebd31b50919b2d949d586f877bbb1cda96a9f3a3
SHA512 20b5465633ceb58cb28207885d83dbd30409b29b051fa9ff5a188550241f6f220ba8fb5d4bdb6abcb54dab34d1cffec5ddd783471e8d32b31d3a6d7730f0edcd

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\hu.pak

MD5 14d81146ec6e0ddf4b14fa7b2df372c3
SHA1 9c77f0f0c959f2cb21e283b352176596a77992fd
SHA256 588cb3f8f455616281fe991d5d060a9bd1567dd439dcd5e76149ec88031ba568
SHA512 9fcbfd48fec75f0eae99d78a7750b9444a77cc49aac8604fce7952cb42c021ce625cd2449897eefc4aa31056c7611b4db014306dca3e51cb173ba7ea6f0f5756

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\hr.pak

MD5 7bee03725ba9ace3cb2aaf64cf0c26a2
SHA1 076f0ce744bad1cf242325d5b2378b501e069d38
SHA256 e16a6391049e4d851a50ebfe3b7af3cc5346dfd28e305f22eafb6d5e6b360941
SHA512 1a27e5159225604513bbbb5f4165ce7cb52cca22d0c6f32b6c2a74c4809d00bdc3a38112ea9bba0c09038960f9113146996f8801e764237164816a654e813510

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\hi.pak

MD5 361f04e0a4176ac478b7b7674779388c
SHA1 68b4e7a9a31e0f9450c856d073b8d03613ae9816
SHA256 95f89c3429c3692f7239551565c584faac04d8ae71fbe5b359892e7538fbd35c
SHA512 7dcdbd9e3f9ad940c3140325527d37dc5ef90c7dcf460395928d48fb2742fd5fd7b60dd64fbb7ba523d46cd658bd5bd85d492bac0a65a8d1634789b6d27ca119

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\he.pak

MD5 70de839caf5f0caeccc5a2b7dd438583
SHA1 aa4b932b2313bca859568d62e8c12f9249d7bb81
SHA256 66ce4cfeb8328cf1b44ae76ee77c16e59c6a6550b64937931d5a05f161fd8479
SHA512 73620dd618971c3301535a1dbc2fd58cc81cd3b2dc3d90a388dfa01fa5516304dcdbc5b362ef7e899310afe28f3d5e3b0695263c82339443ab2d29df03253348

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\gu.pak

MD5 2e015f0ad58e22b8eaf60e4d727aa3a0
SHA1 dba0b894f32ad6507ea6a41917c0631f06f2c03e
SHA256 168c12e17d1a41d8c4913e0be19097bad272c38ffb7876514d6e98f448109b5c
SHA512 3aa797fecaa53f8dd71b6952d0d04af06e0003683fb5b77234d183d0aeed9350470aebeceeaf42cdd4b50a2e7caf09a96df6802b1d6b829ab4bba41dbaec6503

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\fr.pak

MD5 9442fbfc2b150479f4836706313e42c2
SHA1 4600ffc3e1bb3bcb1b3a2b40aa23e97fdcd1bf4f
SHA256 01d05239fecb14ff5e20e2a25f16238bbca41665770f4e5214c22b47da3a5c87
SHA512 4965fb48ff272615f4374183e631d54596aaadc651d729a38f3d03304cc41c927bde8562f2c6d2068f96c09a772a6f5f3a00d0eac7dce433c555252b2b50b559

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\fil.pak

MD5 919d0bae6d964906176cec8530c019ba
SHA1 ab41e78a91314608ffa0cec927b4e001b3833e4a
SHA256 851650876e64fbe8404a15d79984b8983a8f1b04b0f918ec3d700aec09c0c4aa
SHA512 1e816ea6117511e49648ef5a110420b4f264c1dd85baa7381173529a17a97440cb6a646a89697bdbcee4cda0ad6849f9b3391eeae0083412a8bbd42a76409a01

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\fi.pak

MD5 4215d02d92e1be2e182197a0bb87ef29
SHA1 005cc2d1ed5039fc34fc14270344ebc938760554
SHA256 22b97c139d11b485b2c9ebd8d86708d38bb9f7044d7171c846f516ca9bbb27fb
SHA512 b0b71716b8d7867392825980e65d3a60c84f302dcf0b6ed7cf1ea0d8b605d1a82accee03c3e639851feb1273cbd327c14d82e497d6b70977272992bb227d21c5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\fa.pak

MD5 00bc7a02631c7de396537ee08deeec7c
SHA1 063c897b59cd70955cee3ca27d8743a0989f0a86
SHA256 93eb27e9a20061666f36d93d2271547fce61191894dada922dde3bd71819cdec
SHA512 cebcb30a0aefc0acd5f672e7b18cddbc446997f17911ee2a1468141ed4fea7c7d5e7db7b613275a4fde8261204a72fe485f5a8289238c8ed842182f8839e34f2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\et.pak

MD5 7c8be63adae41cfa46a1a614de18e842
SHA1 eb11a953ddfe42dcbb5a4aeea0a40b6b18f596b4
SHA256 0e3af6b70bfb8f28542caf5d6ac7086b248e31ca5d31621d417154964cfae3be
SHA512 4f5c6b976d9ac82002259e75c5afbe211be096f238882b912a97a9fa4ecf7103cc164e7475ebeb4b33794999668744aaa5465c059acccf5c467391fdbc386761

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\es.pak

MD5 2c8b6b9b30b62618c65237943c030e6a
SHA1 887717930c8d070f0ba965c8a215478653d3845f
SHA256 4e1a07ac84554563488094169d2f68e29cf3b78c28c57e9e7eec233a742440d4
SHA512 b0792d483adb7e51a2b219e44f08bb49e419cc7a17943b1f2e57316c907f16cb80151cae1d5f117eced002a56752908d90392a479accfd6d8c6f13a2b79a1b23

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\es-419.pak

MD5 7b45d7be08eed5dfee3d12f0b7e6111d
SHA1 e14d2e0861d42bc31ea778237f77fd71c5dd32c8
SHA256 263fc4b258041034d040bb3d27758239153d5a5faf85ab4217da608e7c2a4f2c
SHA512 dfa361344cfab28e91dbf772123e043cca16b6d86cafffcaf8d71686ac9cc3dea832525b934c60fd1f110e9bf224a9b5f496924a443f742a7487d008f1ad7869

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\en-US.pak

MD5 214e2b52108bbde227209a00664d30a5
SHA1 e2ac97090a3935c8aa7aa466e87b67216284b150
SHA256 1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab
SHA512 9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\en-GB.pak

MD5 dabd9d0434e128d6ae3feec3b2c2801e
SHA1 d7a25ac86c15f5d4a3b3d4b713a5302c5b385498
SHA256 dc908ecd302ce83d9dc091b15011497eb7de87999c4e5b895b6e85e24cb7c835
SHA512 831f74fc1a3af5db1f23a1107133a090709693e829de90f2c8727258cefa1eadf1f42087134494e1a026db044e9e63cabda4ebefb425cc2010aaf196da0a3959

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\el.pak

MD5 9d654962e91275c7538dabdb450a2f03
SHA1 3121a84f1035d7b44e4597ebe4857137b7172da6
SHA256 9ea03f3937d9312af696d6c0a3071fa8c0ddb1b6259272cc0d9be2e09ddc3d27
SHA512 0a2e2bc0fbb587f210ebd74013c4c99a57a9df088ba4c6d6bf670b085a45b825cc6800fa2f554d2c640669803350dddb53122369a6f54f80ec92b928f84ec35a

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\de.pak

MD5 b48f5b846d1b32f8426255e8a03b4d20
SHA1 77272097e67ba495d73e3d82e3100237a1664fcc
SHA256 28e394fd4dfcb0ee3ad947a8e276af7ec1501f30e820ba42270d2d7f03ebf745
SHA512 07e9af3153e60e05678db92e4654169e9c743bffb5aeda0725bd3b11dfba9021551697149771bb3aadac4fafaca50c88a352f55d32bd6c5fc8867c44f660196f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\cs.pak

MD5 6310a8e1c7e8ca3a1611d78b4d67845b
SHA1 fa8cff4ec0b1cf3aca65e6745d9f31154dc48115
SHA256 10c892b0722d117b4c3c55776f8fe4b2ef1631dde91d23a9f7ef44f7acf0c60e
SHA512 900d9eeef7305134d677f90c3c9d50f631c8cae0cc0fc56a3f03984a28c7b7af429276150efbecb769d5aebb04ea5fe3b0645922710891901cccb2e32b01b813

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ca.pak

MD5 5c5c2e574c8d51a61d9e58547d89b0df
SHA1 268d6a348c22616432191ae55bb8c34e039feac7
SHA256 4d96243f37cb8fff76fa55cb71667f010cb002ed8ee6741a216c89e6aca3fd73
SHA512 e1d8af4f6d1b66064b71d7f66391a896ed62ba379d5a7c1a2f667716a46e255588a098af529358ae6904831aed2c085c8ce6536736111ebf9427869ca5cc8627

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\bn.pak

MD5 5670d1c74a07e5e9bb3853307ea2cfd7
SHA1 7cd7568d2bd4c64b8685bf17e3289afe923468b2
SHA256 706681208f6e0c2508c55ac7fb8bf510a133cd66f6977c3da3439526269a1c0a
SHA512 27c5f596548a52d0d62a749324a744121f2448b29f8eeb908afe487b7084c95e6e39b80326480e9253b997ca22f557f33e450fe155ccdbb2b601d0991389b47c

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\bg.pak

MD5 7005e72419774fc1d78ba0718fca1b47
SHA1 bedcb1e0897a1a47a878bb820735d8e373a4b4f1
SHA256 2b93afb50cd154464b7b40c8d0015db09b69f3341f0bd75d190c033c4ec4c72d
SHA512 7a098ef7e4297d832acf356367faedb78bcf33b68e2d0255eed0c1852cec744d24fe594812f2c3a393b4fa75e83a080803d38176bf7534604362a7287242e9f0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\ar.pak

MD5 5209516dee9d9ce64854b70da199108c
SHA1 5797e37da5909e47e03d323abf884b573adf0840
SHA256 8407ba456e51177358e6ce1e82c33e5e279eaeb553ee38db9f0994ec57c2e246
SHA512 0585c14bda7800acd3242794eef7c9466f57217a059feefb0bf715e2cae9d228a5172fa9046ea19d19cdc388dcde2348a0a90caa26a1baeee612006495b56524

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\locales\am.pak

MD5 985be89267e0d559bffd4b66380e5e53
SHA1 fa33e9bbfff5a89dcc26f52634561e27c1cf0e05
SHA256 bd1a60f7fd63da2230509211f858866ed782767f580b8ce4740ad2060d3c5d9b
SHA512 7cb99ea1d92f810dd6f882669b2803b5cc87a9f34e70964d402f14cb7771a9d02f4c7493518b5c388f49887c8311e3b02fce7ff3770a724fa9a0a2e776f2c3c6

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\xxhash.license.txt

MD5 184732fe7ad572cca839560f13667eb6
SHA1 76fcece0f58b529b1ecde86e8bf8f8bb1c652519
SHA256 ef87b7b79f4c48edd555809ab0e97b780940925589b7d5f9ff26025410c87c4a
SHA512 71bc6b522b99cf66c764a7554823e7da19ea3924226d67385fbc397128b9dc781e66c457505bd3616eca31f1d93fc25d9eaf67f9c32aa4c599da4c7d2d5c6f30

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\xdelta.license.txt

MD5 b743e02a975dc959abb35bcda12cd4c1
SHA1 13dd1cc3f00f5ab22dd44c40a0abb13cb4512f2c
SHA256 b0b0442c47b75d2f5ae41c660574d751ccf12fcee6bbc27bde20e208802ed63c
SHA512 7d14b3253a7fcc594b84af77e9b2a053e720e9b03bf8f4b8afd82c43a1b3f579726b68ad5e688d0363ca7bee8d192cfd6ad40e1ce3819570af5c29d38e262a5f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\tiny-process-library.txt

MD5 52607bf5b5dbb263092f9672eb5b0b1f
SHA1 ac2b9621c7b1649ccfbd31034ebdff57249802c2
SHA256 13c053468f9f56ad8f1f2c36ad23955953e0cd2aaa49e7e82b14001f2f322bf5
SHA512 88862eb3a57b6a640519e88abb843102da3d98fe228fedcd1f7875fbd2fd9d6e8f93c35aafe0343b8d7e8e1b780862066327f4b9ceed74c1b7bb8c76373e1c54

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\slim.license.txt

MD5 b9647dfe37ebff8112b7fb0204192de8
SHA1 ae084d7c34776826e0398e73eb827682852a4b54
SHA256 5e08a239b2c110156929d97ee61ace55adc283456c72f51052eb23e0b7cac499
SHA512 3262527cd4df1c45decd80ce733e6280e3f08422daf0079af023a8ab2454c03cbae8a5e944c0fa594c845c2e1148cc531688ba7221f7de3c630b4a4367773fc4

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\skyhelper-networth.license.txt

MD5 27fa1700231bee88a24cd306d673af97
SHA1 ccaf356f932ddceaa1c59756b2d72c5c21c89fb0
SHA256 91b7f048db90b189dadf1db30e5cd0a95a8bbc4ab5437535815359b8186ebcf5
SHA512 5025d7044a3ba8e4a279c1dcb5be65675d61c7bca864a5face31fe6ab7a72bc980e412054294f49629a00d6e6c4b753bd1892c991a3408ad850d12a269f5ccdf

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\skyblockaddons.license.txt

MD5 b5697125b9a58f980344d778c84eddc0
SHA1 9ae4fdf6d1ca59adbc2649667eb03ee12c50c659
SHA256 6b3411f158e9c8a7f03632c2977279852a9700f636a7cd93bad8646de6ea65bf
SHA512 491a8e6a3b5495c518ff11cf4734b546a53c83e5edcd05137c9f263d77a34bb856b05bf2a45fc80519b3c1753d4d97ea707acc7a204693a0fc3b5cf5b74e54f6

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\rubik.font.license.txt

MD5 1a74d7f49b7531048b89d6ee3f49e1e1
SHA1 374e9b0f4d9efba8e93d5698b04dc0cdd73817d5
SHA256 5797d3461e28e3f3f540ab932fb730d6532ef7233e110b96f0aed9526776c141
SHA512 41d0fc489f4eba72bfddf70d56ba34abcc1a9fa5957fa701e88e80289fe74992be774783fc678d434a09404116b6a73f8ea9a3a36867e24ea9268a21cfca8efe

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\replaystudio.license.txt

MD5 faddac7574586fc2805a9b3f3365767a
SHA1 bb87c11cb254b9c7693c2e62c051a10596648ecc
SHA256 eb622d5d149ea9b7ebeebededf0b20068d5471a462e0d4bd9e482c9b48f37f12
SHA512 545a11e5c6abe6ad060de4f809865acfba9f57c91f1bd3fcdf890a599923207977f429ed3059455c36136f84a937fcdb20033b2bbd2afc653eaf3ec97da0ae37

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\quickplay.license.txt

MD5 c3e1cf1c2620ba0f75411f66deee382a
SHA1 37f7156c3c10e3c09169697bf2e42bb7fdab27ee
SHA256 3cb66d8ea7938893173f73f9e938dd1501cd7d7f50bb091b76a681dc680ccf64
SHA512 cc445e11f256db1327701c33cf08e531a8c543567af2515ac06dea830ea24b154e46d229f56b25a94cf7f1cf62467bbf1979f4aa524dd65b71f62c4dd183f8fe

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\openjdk.license.txt

MD5 8425bcbfbe27f7f8ec1e46e9f0ae0c99
SHA1 5898367b940826f516f625dbd78fb8957f3be986
SHA256 1bd89daf45a5b68234c32104bbe9903c6c6d2d7798d61a36f21ad85482945f7b
SHA512 0323a715e5f65027a66738c1db24d2e4f6240095f710a2c06a67bc70b59e4185bb026ce7438dbeedd6cc95af8cfc0ae9259b3aa8e7d84692bf6b2b7f5a655149

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\notenoughupdates-repo.license.txt

MD5 3a5337edcf43176e258e1a5ed8baafd7
SHA1 fe2b722844bb6331deef47fc5192c1e742ab5caf
SHA256 282d4b11d651c5fab2a4cb55568aa36b80eecd47ae3ac9f4c2c7978a3be53dbc
SHA512 8bf297651f29f33800793dcd1d9b26ddb9fad75a625514fb558e5b964eac5f8b760597d76f43feced41001bc0196f116fce12e0c9f17216d3b04569fa651c1d3

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\nativefiledialog.license.txt

MD5 292e3e89db90cb0fbffba767983a8f55
SHA1 36c4792a78a72fb5c6e315c62c4e8358b6c8d2ec
SHA256 c894fd883a9af3a9174a4ee9897451d4fc9fd56c2985c872cd37eed4a44156c3
SHA512 b21c7123f5f214a0d19497f62f9cc461fba59edf64bd1c4f5557c9d2af69cb7ea6afff8d75aafbdc6631f9164e69dd547d3265d2ae8e237a9ea39ddb9dcf705e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\nan.license.txt

MD5 895f9d80d77e26153e48525caeb23827
SHA1 3d7128bb4973afb706aa1f67493b537006d79937
SHA256 0bfcb5e608c491edc1621ec2d842ce5b683e05db6b38c6eded10b0630c59d2f1
SHA512 e0c278c0da87f33202bddddf739fa5f511c0b5f3176854d4f382d40dc8cc0767e71c622368561d40a2b4a37c1a9b79fd845096073077be03c6a1cf35fc152cfc

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\mclib.license.txt

MD5 12873b817d4334eac6197edbc5956864
SHA1 20a910d495a276c23bc9b43faa7994338f51ce69
SHA256 5f6ad061e9e7dd5d3bfaaf8d065f14f863897c276d217c94084603680a324e72
SHA512 0323a87ba5c5f9ac5b049b6770a78590e83e74a9fdc0076b67f3669c4f1b43db240b5a86390191d3c19ed9b6d9e9c6000cbdd970f2db458252321a5fb106ec85

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\licenses.txt

MD5 4a9c8bbed40470a9ffb7db1d63bbcb9c
SHA1 88a83ce9d6734d54139ee7cbfab63253cb73b415
SHA256 c0aaf6703c87055786772878c27e8d3c4ccff0efcd088d5dcf77a2fe8146c44f
SHA512 12c3b1e11dcb90c5e4ff426c1a8bec314efeef9e5b3eca1840460f1a1fe894aca4c1755b599d460e995e7f477b69887089a93dac67da2016d8c84bd98f841039

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\licenses.dependencies.txt

MD5 2053245129c2910e9a1a854dcf69ece1
SHA1 294462e57e57fc416d28ef2ced053f97465e3fc1
SHA256 9b78cde2913327cb5ac2dc6f53f430b6233c52bbf3e156e969737d87cca51943
SHA512 1387d33cdc715b006844579b90137aeea7b9dd7899542667c988e8c565866d26f462e60a0d5b26bb94113291f1db659c08a4cb4a2f8a9ba32c6b5af8ddaab48f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\freetype.license.txt

MD5 02891d3fb5adadff2546b4279649112b
SHA1 1b299099e16ad96ebf53e67391685d9d0a51b368
SHA256 650737ec7589c35600de73b0db88dafb314f7e32e7e3cf38d0c87ceb1a7ed31b
SHA512 630d9247498b84bb53e2c2ea4165994c141791675c192860127cdcd1ccbabc80a331604c6ae185531abb0eb3fdefe6637643e0d3f11b751e79b076b5da4f30ec

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\freetype-jni.license.txt

MD5 5db6495b17d58ad312a32e5791c61097
SHA1 428650191730f35163e8ec78a25126869b2ab1e2
SHA256 d10f28ec38b68a33bd4deb7239ba86e2f43a26f81dfa2d53f2ac89a88e2685aa
SHA512 7520cd5dc59f6899bd542a713ca045f64a9dd90751db7e5ab197d1c8a25e94aaefb9eb8d69a6b3c9ff5b1d433c85cdd67d36cd333fd33c824ffff53bc187cad9

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\flag-icon-css-license.txt

MD5 d0bc1323b617fbb4d3232b745ff45dfd
SHA1 5c11645d0455590741dacb68d3eb1d253a5ec106
SHA256 5f6432917a260a6e8f7022742bb6cb8761b1d17cf45083e30174908041405225
SHA512 dec0dd099dd2a778f5afd129750175e42335677b199f1d5e2ad10ec2459c803e3168c6e89f44bc9544fe8a5513b85eb2d53db65b3ad6ccfe77ea0a8ccdcdb131

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\ffmpeg.readme.txt

MD5 46efd225e4f70c87659ee3728c4cc352
SHA1 3772c422a0f862d32a0cdd082479e432051f17e6
SHA256 20243b750670270b8cb8cfa8b44f120814751d744c973ebba52284968b602544
SHA512 3a7ab5b99537984212d204aa83b0dbce97afdbab9f8dac554d9afcd506bed6e4617e72be84bbb710e79352caeaaa6ebcc728b19c12ada7574c0817d35640664f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\ffmpeg.license.txt

MD5 e62637ea8a114355b985fd86c9ffbd6e
SHA1 1eba7caf09a39110ad2f542e3ed8700d1a69c6d3
SHA256 230184f60bae2feaf244f10a8bac053c8ff33a183bcc365b4d8b876d2b7f4809
SHA512 714d66c4a17e6dfc1553521af2be03f4579fac64048c0b96c592177562b01fc70a8e184bb21725e11ef96a54bf466ae1abd4992b8940f0fe2c0859d6a166a2ef

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\disruptor.txt

MD5 ae32a12a5be0d4878506f2c7927826c7
SHA1 ef0f419dca631ac1219e19af5b4a5a0875f68da5
SHA256 eaa350f6f6982e086b1ae1c3b70743d1f3653164b4a4832f02d7baa134ef028f
SHA512 a80642b73b5b968c1e8b44449972449e17e6c3e46c2beffee1d524faa363b48d2540c0d7db6289183065af975aec1e8c45833ac1e1cd3e2c85f5fdae955791c1

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\discord.license.txt

MD5 f8cba3d1a6a62d09224f131fd3054008
SHA1 661a941700833f7229cb17d206f1d25e23301a2d
SHA256 cc981e3b2afd06ab5a1cdab7ced3cbb8a69145b5e2388485b806f6634313ff4f
SHA512 4517c0046d156c67f3d7fb37e5985904de476cdb75ad7114eeb2fefd9957b67b07ef1cff02cae1ea37503e34eb0d7cd0bdba03fad5aadeaf6d070855e481edd8

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\cairo.font.license.txt

MD5 5a540f4d98fc81713b81aeadc530c6ed
SHA1 273c8a98fc1b2709cfce81d7f6960b63326e5485
SHA256 17b90cece30db64934b7299fd76b033a3774c8a990e78badc74c59a5be8e0727
SHA512 12b5e3d50da4d0aef2badcf784554257e7c8dcd9f598acca500861c1f0bb4686fd238c6ad8c2259b5047140e10d731e928490fa474577b7d847d387c9c07d702

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\badlion.licenses.txt

MD5 a2ed77a24bd53e33a3fd458d99e9be0f
SHA1 07af4fb75f3122867c9e3255ad6d1e11fca88808
SHA256 803a15fe94c8ab1f4adf1a62fa043d414d3e4c1281c74cee57e6976474bbba05
SHA512 8649571f5670a36e7fd011e533c394b0f28f51045abcdcb3928d731f02366cbc286b88cb4463d86e07e92b967d81cacda74a58f658843d89669045530324524d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\autotip.license.txt

MD5 5b0b97f483331418e30c469af896d87b
SHA1 3e0ae2526e0f2809c81d524b8507fb64fc2bb4ae
SHA256 09716796eb67471c518f3f4e567377d5ea5179c36e10bc0b30afe1261b770442
SHA512 5882826f7f2c9921d5c309aaba79ea30bf57f95816058b2f1c26c3ec9848c8dcdae91d58512092dd7647f41f74f57975aadd9d048e18d8567dd3ed8a5b28b12b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\autofriend.license.txt

MD5 318bceaa1151b1b6bffabad8dae01498
SHA1 c776fc09a2e25058149deb3bfa163c0053860a90
SHA256 ddae5748ee219e263f4239460d07d38a10852fc1f6693fe2765e28037783dd88
SHA512 60c8960d6fdeb04711f6aa2713a66b05d3f7008ee33c4d762fe30f98f266b81a6c198a68aa0ea73bcd1ff4eea88db56ccd1a680c11db4ebfc444896da6b80a7e

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\licenses\aperature.license.txt

MD5 1837a1eb671079c67ed2724719588c48
SHA1 ed2c02b395fdeb3b56d0d4258c677a1329e78e54
SHA256 ca1baea19e60be57dccc08a4cd82e75eca24ca683980cb1ff212824a964fd6b6
SHA512 1df4217f219e0826c07d8bd8ebfff17d2cf34691c3450c23f84edf2bb35886bc6244b1897cfcbbc6b47f4c70e1c84a698bd48177c2fbb2f2154d2c005305e506

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libs\optifineinstallwrapper.jar

MD5 8967319339fd7ff2a67b3a9eab3e4b93
SHA1 03e69508f50bffba71390c367fbc5e8c00d07335
SHA256 f4c5909042743c4a7206f52ae352fbfcad807185a985884314044b236ccb24c0
SHA512 e376022ce07135b77d46da898c27bf49239332e88410b4a20362e9f4ada0fb2a02b7cdbd00bfc0f11d3228ce56e77cd165b77baf41c21790dbb52ccf771555a1

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libs\joml-jdk8-1.9.25.jar

MD5 9b868b921d0490b417bd594984b680b1
SHA1 7bb2cd964c5e7b129a52e1f47edfdd557a7ec3da
SHA256 fc76d61e7900e65cab1f3c237a5186ff2344dd7d7d0bbf8f01a453c4fa2a1b28
SHA512 c54cdcfe63c1998fd14d46988fc49509ac6af2e2516eaad0dae19566baf1c99f0482d026d7f6e79a66706905b76af9b4298a23521ecb32f5a3708806340b3959

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libs\disruptor-3.4.2.jar

MD5 6895a3c4f54cf92eef6530e9e2cd3c46
SHA1 e2543a63086b4189fbe418d05d56633bc1a815f7
SHA256 f412ecbb235c2460b45e63584109723dea8d94b819c78c9bfc38f50cba8546c0
SHA512 da76e44fc9834c6d9e21eafe2fe64604159dba99770946bd114823ba037ea0217ae3a13f5eaf29e28edf92fcfd4f20c60b7645d6f117c38c897594e1337a744c

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libs\caffeine-2.8.8.jar

MD5 ddac1f8f76743255084022ac6f06b7cf
SHA1 298bb2108157513a39a1a52a686a1fe8b57cc973
SHA256 7b7b72c6ce3e47e774e29060ceba19e83e8259bd475986e04b4f3272d4a58f73
SHA512 6cb83b6d5054c63c13af5fd39f11065556137edd423385f5d960a656fafddf5a5ddccd1ddeddafdcbd511d0fef005c58fac9e3fb0bdf1d469af24450dfbc2325

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\zoom_out.png

MD5 e1a004a51cb04c38f49184333a23379f
SHA1 5b54adccfebbfe4bb96502db5370c1ab830c829d
SHA256 e7133e53b0ce06b92ef48dcd5bbce4f3d36e6ff8bb69193d3df40c4adf1a6814
SHA512 7506d9998cdd5bb75c8b142f8231009f15ad0548a52a037b78b98eff427b50a2a42c16580a53899cf5dd2b41abfb51eb24223c827e5e277dfd295f5510d4424d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\zoom_out.cur

MD5 48b46c3e0650d525e715cf9cfa6c67e5
SHA1 1ae6e82c4aae58c7e1cdcb1e5e76ce8973f8774a
SHA256 f3829987f7124f73facf282354553b6ef8d9b58b3b02384d92c45421e2443536
SHA512 e154d7fa552bc78755e6451950a159044fa85f5cea4a6a3a19a88e451962b24bce52a1b46b4b13eaa6b55b2e8be4b9eba0cf16adf1d2200f73be7dd0681b19e5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\zoom_in.png

MD5 6a5fbd95c627afe076f43f9254dfe3ed
SHA1 f71cab57e9e80ba792f73f363056f6dede7c8bcd
SHA256 e910c607f60fa385d67624fc7449a05b419718f60a6b93d4be79d6a974bea522
SHA512 cf73a830bdf76f319db8b34ec8daf70405cc52cee7fe03d4ac75cba1859d007e30993da1c123e13deae6de09e5b234a9dfb02089d546601964d26bd597949b8b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\zoom_in.cur

MD5 77492cf358d8b12629399322926c93f2
SHA1 8291ac3dad4e4f33183ccdfad7b92b1594c760f9
SHA256 eb69f540be1e416b7346017da48deaf5ba2f2ee0af366c04f1e374351b651872
SHA512 6c8652770a041084a88f6a535991224423c003ac2b6b5949b515dc03b0187fb4a6cfdf3f39a6279e103601d991e95139e6ef8352e68e5dfd85d99c078e0b4f0b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\row_resize.png

MD5 cd9d05d1ce7c942af1ab5e6eafd0a13c
SHA1 d3dc6b0df04e3c6bcf6166984e3738a7651284ff
SHA256 12f76ebabda00b84c395cf989b92e0870c5a3b678bd6f5ac90b8a6820059e28f
SHA512 7fa9b03d668d5232b10fb6da719399d808cff95592214c8adc1d00210e4826545d49ccd4c0dc5bfea099db1c8ad4c183778ed2f6517d81b44817a428b488e900

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\move_drop.cur

MD5 63942f237ac6b11d62adf014d2cbdfbb
SHA1 f8b582c7d8edf28c2637d5f0f27f2586cc92bce8
SHA256 1ba52f630ff570480f920d13d04b7cf5e4d993c68b5f4d183a6c75c87bc22b6e
SHA512 e87f7e95e49513ccc75195976fe8b8926269bfaeb766fe816fcc0de603bb55b936ce1a59964022e7438c0c3b41bc28abe323fbaff5b0a4583ed9cbf24c450fd5

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\link_drop.cur

MD5 66e13793e687bdb92c09e0ae7964e194
SHA1 71019343b1747c19503e935aff3c7aba1fb70541
SHA256 49d5f9b95e9968ba54ef9457f89386fbb29d7492fb9db1af920fd3433aae4a67
SHA512 19dedb36b972ab005f01deb6f1eae1b9c0609f3312fd3f70dff93285390fac7b535e5d181f4a7cb25bd4f5933538ad7ebf44154f9d6d3eb04e412144926c4143

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\invalid.cur

MD5 2f8b93325987b4eed575ffe251c67751
SHA1 ad1c4ee2358fc0f84d2ac2d17890822ff51ae725
SHA256 669c9cfd524f924b4358caf1fe239923473e87e2a01f388fc5247a60fb6253bf
SHA512 307e2608a66357b2dc296492a0dfa2b27c64e9d1b2009d9370c76ed7b24c8115c3dfdd675bea3c244c3a07d672fd959c3d31b5c8134d1591c0c554adc4f4e405

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\hand_grabbing.png

MD5 ddbc22bda750215abfc73d75e1105b17
SHA1 f8dc1196227d95b7630dc85a3543c6db853f65cf
SHA256 0e6c5b2ec6b01b9a0c52dd26dafd1c969cf073c6d47e9db8e53fa05912f73cee
SHA512 5d1a6e89a1a96988230cf30fb156c166e26fc832affc5e7eb39ef974e69008403d54463a4b4a40c55c0ad8eb90e438c31a880f613d1ff42fc966ec961d396240

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\hand_grabbing.cur

MD5 8605cf2c21985f59d2480da72aebe3aa
SHA1 1b8137afa3dd66c23af9e40e75339d2f0174aff2
SHA256 22e823e71c106f338d42932c13c16e05a8310b3bdec18a89cc5ca197408cf11a
SHA512 fbbf45bb20f27c9faebd34101db1918c2ca0384a27e6502eea59c170fdc553ad2647ceaabf82cb0dc5662d277ca6eba70c6b615c79218f3de2e5822299399c76

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\hand_grab.png

MD5 7be75a54023adbe7d6b48260e4e8d032
SHA1 81f20b4e0ca495e393748e0054d9ba12b6179196
SHA256 8d8b7205410e7d0e32bd6b81769d7853025f5a1b2235e93088fd327c039e6b1e
SHA512 2724620cb131b175b22e405bad2c7b6f2b771cae8f8402d85933a93aad409a6d5d2c01a534ef4f10900130eec6e394b470c2451ebbae76a950f15c46229f80d0

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\hand_grab.cur

MD5 3f37213b8c0a7374308b2ae99d4eefa2
SHA1 b72b9901b3fe6fc8693d67cc5e419e494afddbb8
SHA256 3df4009e28e365e1666c868aede15239c75cbb6cf710cd691997b722c3eea7f0
SHA512 ce33a5698bc937ae0ba3da69fe7d4f9e15cee08e45451b7a21d17b5a2133a1b6579d622bd9a749612e15359abda4871335d60ce47545699326648df8b4b6fd36

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\copy_drop.cur

MD5 f92d1851a489b0af7ab807a2f07ebe16
SHA1 d97c9d7ab76993448f6240322140dd23c756b6c6
SHA256 18920d4ab5cd0b654b1e8bbc33fe5278907514a1b227f701a16b9a3309ee87ab
SHA512 b4494c8da0734ec69caec38324c6b3b91e898ad8b25c9d7dee9ca56c41cdec768c16efc10d71c856a0bc633ff22cc76cb01ee8ef887899e2486fb7f78b340a7f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\col_resize.png

MD5 0723c45d9f82b0e31a1fee26b9b4f53e
SHA1 5608c3c92d70c61f597d1f1d3aaa85e72ebc4dcb
SHA256 6ef1e382e5e2472e8426a0f486ab51fa2216cdf929a3b737f78564a8ad57b1ab
SHA512 326f31b3e25c11fee7c28040252b5eaf183b0380ef87033134ff032eca4d90a28eda08837af833e0d5c9ec06d7e63053f23c64d9fec5fda0038c27546bfc1932

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\cursors\col_resize.cur

MD5 23633a8dfa3548705f28c83ee9584d6d
SHA1 be5dd224d071d965bc0411206cadf9b33ddb384f
SHA256 d3b49998f6d1039bf8b65f73f5784653164804c72908a40a5cf8ea850978a0d0
SHA512 5b0971bf5c7bc17ae746c88e4fe3f0342d9288f8feb3ebc106b6a031d62b48af8843af0079a18c7ffe4a2200e9d6d58f92f1d87987a068bbf8e4bf7210153782

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\ucrtbase.dll

MD5 cca4929ef8dd988d7221ef6ba398f1b5
SHA1 1d21e60e56a15038702dc18148be8cecee279890
SHA256 4292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3
SHA512 d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\ssleay32.dll

MD5 c87e22c79b0653a27e0f9e6b1a9ac8bc
SHA1 bd37e85bf38192614d2b8fb5048d7e9f38eb34ac
SHA256 4a53f602f4891247dec42ce9a79862192cc80e12f40e6b4bb0a8db25052c8132
SHA512 97bc98e134636bff81bbfe3275141106377fa4dcf63bd191151a8f6d1c5109ac49eae81a89bdd90e5e2e5aeba274d673f646c0aa65f3dfd673ec2b23067417b1

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\snapshot_blob.bin

MD5 dbe18c25f68d40444ea576a68e78a12e
SHA1 44453e3fa8400cbe6bb674adaaad4ea09dab0e14
SHA256 c7c0d878697264269ca58861187e18d083aaf3f7f50bf4f6179fc080507bfa8c
SHA512 7ad4fd83f8337f263e128f8ee498d58b9dc89b876156157fda7636e4efa84691d6a9ff35c40d5482c9da98f8cc7b2eb87428a2a2690359ad6dacdf506d2e1f6f

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\resources.pak

MD5 f616d69f6e582582930d06c5c18f0f70
SHA1 fde8e2653f2a5317492105bcabeb3565faaf74de
SHA256 bba807d7822c4317fd097da4a442b4206cb940d077cc127c42c1e29cf72fa855
SHA512 492e678860f240a62094f696a5e50f408f881c903fce655e18ac6450e3b88befde56778c7ffd20f22561fef07671f6c2f7463ffdd8a17fa2c82e072aee736016

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\psapi.dll

MD5 80050af28eb0070a582b33470d20fc91
SHA1 bacf5fdb74ef5fbaf91d0475736d566ee3babc18
SHA256 65e42f8fcd039abaccd6aa815d237f1d6f7ee2067457c8ce235333226cff16b2
SHA512 780cc5783d93fd8e7dfedb291f384be4fb1c4022bea22dce991b360a2029ae42f864c540af3d75602a9975e3b66324a3b5f3ce4582ecc32918c35e00f3abf68d

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\msvcp140.dll

MD5 9ff712c25312821b8aec84c4f8782a34
SHA1 1a7a250d92a59c3af72a9573cffec2fcfa525f33
SHA256 517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094
SHA512 5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\LICENSES.chromium.html

MD5 27206d29e7a2d80ee16f7f02ee89fb0f
SHA1 3cf857751158907166f87ed03f74b40621e883ef
SHA256 2282bc8fe1798971d5726d2138eda308244fa713f0061534b8d9fbe9453d59ab
SHA512 390c490f7ff6337ee701bd7fc866354ef1b821d490c54648459c382ba63c1e8c92229e1b089a3bd0b701042b7fa9c6d2431079fd263e2d6754523fce200840e2

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libGLESv2.dll

MD5 640a515fcd8e5d5a332c1d40c47700b0
SHA1 0128c9d499deb7866f3d7aae0adab69d9a8f768f
SHA256 927c858deb4700d3759fab436d5ba554ff4cf7be505d536ea1c673707d5ca8a1
SHA512 792acebb5ba329e61bc319b415ba01248dcf18c7e46695222682dbf59d179403ced15c19ae03a282dec7e622121c05844d8eae5a04a2aa1f552ebced51644e27

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\libeay32.dll

MD5 4b8269a6ec04ec8ac23904eaaee075bd
SHA1 7e58e27dfd38de0d77eb729824f10c6aa5a0b8c6
SHA256 3c3d0df094235029e561a7813aa5835b25a8bb7b38dd77ef8acbd335f6db0485
SHA512 82a303b1e5adb8ffaa86c99fd63c533841bc9e3237ea3478584411dd92d60ea573ef063758747ff0497d58dfb085e014be1b234b5902face23a29e842b095d1b

C:\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\7z-out\icudtl.dat

MD5 224ba45e00bbbb237b34f0facbb550bf
SHA1 1b0f81da88149d9c610a8edf55f8f12a87ca67de
SHA256 8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc
SHA512 c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

\Users\Admin\AppData\Local\Temp\nsoDB43.tmp\NSISdl.dll

MD5 ba2cc9634ebed71cea697a31144af802
SHA1 8221c522b24f4808f66a476381db3e6455eab5c3
SHA256 9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba
SHA512 dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1562s

Max time network

1573s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1565s

Max time network

1576s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-handle-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-handle-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240419-en

Max time kernel

1565s

Max time network

1577s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VMProtectSDK32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VMProtectSDK32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VMProtectSDK32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240215-en

Max time kernel

1560s

Max time network

1568s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1756 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1756 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1756 -s 80

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:47

Platform

win7-20240221-en

Max time kernel

1800s

Max time network

1819s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-libraryloader-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-libraryloader-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:43

Platform

win7-20240221-en

Max time kernel

1561s

Max time network

1578s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1578s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VMProtectSDK64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VMProtectSDK64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1564s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 220

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:51

Platform

win7-20240221-en

Max time kernel

1801s

Max time network

1820s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2300 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2300 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2300 -s 84

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:52

Platform

win7-20240508-en

Max time kernel

1560s

Max time network

1572s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 13:04

Platform

win7-20240508-en

Max time kernel

1558s

Max time network

1562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Badlion Client.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Badlion Client.exe

"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Badlion Client.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 4cfd92511db115fa72488a152dce8a47
SHA1 7481ef5dd22127422e745a18ec01b2f2b815de70
SHA256 262f78be6b0bbea47532a230de739bdd3512aa442a5f81cadc35c8c9427647d2
SHA512 5f9fa7cc85dda65cbfe6a65201ec71253ec75b51fc50afbdf24fbb41df13bc26247aa418ba41741dcf8aaa68fd36d222a5b1b446ea09452334b3f314b31407ee

\Users\Admin\AppData\Local\Temp\nsy2C9D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsy2C9D.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsy2C9D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsy2C9D.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20231129-en

Max time kernel

1561s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 4.0.1.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 4.0.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 4.0.1.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy2943.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsy2943.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsy2943.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20231129-en

Max time kernel

1559s

Max time network

1563s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 12:03

Reported

2024-05-09 12:42

Platform

win7-20240508-en

Max time kernel

1560s

Max time network

1571s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dll,#1

Network

N/A

Files

N/A