Analysis Overview
SHA256
d5a5189d316e32de65535f17bbf55b372c3e9d4a504d198f180dfebaeaccb40d
Threat Level: Known bad
The file Muck Trainer Setup.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-25 12:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-25 12:02
Reported
2023-04-25 12:05
Platform
win7-20230220-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Lumma Stealer
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.6.0\\WeMod.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\URL Protocol | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\ = "URL:wemod" | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open\command | C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe" --silent
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --squirrel-install 8.6.0
C:\Users\Admin\AppData\Local\WeMod\Update.exe
"C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://titles/50639?_inst=5xWlYPh7rrMnYbpM"
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" wemod://titles/50639?_inst=5xWlYPh7rrMnYbpM
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1040 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1600 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1224 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1040 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\WeMod\Update.exe
C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1682431511368_Out
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.wemod.com | udp |
| US | 104.26.6.92:443 | api.wemod.com | tcp |
| US | 104.26.6.92:443 | api.wemod.com | tcp |
| US | 104.26.6.92:443 | api.wemod.com | tcp |
| US | 8.8.8.8:53 | storage-cdn.wemod.com | udp |
| US | 104.26.7.92:443 | storage-cdn.wemod.com | tcp |
| US | 104.26.7.92:443 | storage-cdn.wemod.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3---sn-5hne6nsr.gvt1.com | udp |
| NL | 172.217.132.72:443 | r3---sn-5hne6nsr.gvt1.com | udp |
| NL | 172.217.132.72:443 | r3---sn-5hne6nsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 104.26.6.92:443 | storage-cdn.wemod.com | tcp |
| NL | 142.251.36.3:443 | tcp | |
| NL | 142.250.102.154:443 | tcp |
Files
memory/1928-54-0x0000000000180000-0x00000000001A6000-memory.dmp
memory/1928-55-0x000000001AE60000-0x000000001AEE0000-memory.dmp
memory/1928-56-0x000000001AE60000-0x000000001AEE0000-memory.dmp
memory/1928-57-0x000000001AE60000-0x000000001AEE0000-memory.dmp
memory/1928-104-0x0000000022570000-0x0000000022D16000-memory.dmp
memory/1928-119-0x000000001AE60000-0x000000001AEE0000-memory.dmp
memory/1928-120-0x000000001AE60000-0x000000001AEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
| MD5 | 24985391366a2f90a132465022fb5f69 |
| SHA1 | f9564ca80e59a57a7fbc7b865c74ba079386b140 |
| SHA256 | 689c4761b9897b14dbadf5dd833c603a2deecdeccfb1f7c5a6304b2afbe7cfee |
| SHA512 | 14bba15cb5d40ea02a40a227c2c57f63d65a9cbcc5448a7efe84f8c93648d5a7e9ebe2574e118fc775d34e73381af5096b3c4371efb2ef52de0effe776de657d |
memory/1620-125-0x0000000000900000-0x0000000000AD6000-memory.dmp
memory/1928-126-0x000000001AE60000-0x000000001AEE0000-memory.dmp
memory/1620-128-0x0000000002080000-0x0000000002100000-memory.dmp
memory/660-162-0x00000000007F0000-0x0000000000850000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\squirrel.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
memory/1760-231-0x0000000000950000-0x0000000000B2C000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\v8_context_snapshot.bin
| MD5 | dd9ca4878bba782613cba372de1c36f4 |
| SHA1 | 2eefcb6fcaa4b2ed717c952895710be5701871a7 |
| SHA256 | ea33ca96024769386ae0ff100c2ae239507006d7340f1f8bbc5bcfb4195f9226 |
| SHA512 | 0791d3827a6de5745d3424c562b16604cf311ed6fcb4cf62d2c7f54ec0b7f3535b1114e919d2ba6d144cbe9f45418a555ab3fd801078bd8d563a656796f5d4e6 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\icudtl.dat
| MD5 | cf9421b601645bda331c7136a0a9c3f8 |
| SHA1 | 9950d66df9022f1caa941ab0e9647636f7b7a286 |
| SHA256 | 8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5 |
| SHA512 | bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb |
C:\Users\Admin\AppData\Local\WeMod\packages\WeMod-8.6.0-full.nupkg
| MD5 | 5b65b8e7c722ea3cdd852a60e3a47e48 |
| SHA1 | 78caa65d63160b9b3364633ed0435b91eb116d8d |
| SHA256 | 1b663486c0bf5ea10ecc69c3eaa7b46c565f3cf6c1144dcde260fa8611cfb20f |
| SHA512 | 059e220748dcaf694edc308f9a16d90975c0cd098158256ac9e4f8a77364896e5bca1452448492c15f5e22f1a1c3b06a0e73da081a5713988b1686da47fb6d3d |
C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES
| MD5 | 2048a6e63ea6c66ea9001d9f51fe6c38 |
| SHA1 | 6faf9dc016628783068f5430da2d6ab6ee99846d |
| SHA256 | 52cc531dc4610e5fb892bc39bc91811a58096e9032f1c67f9f46555c1be3c32c |
| SHA512 | c4d47030b171a403d0990f769cc63ed109929ce3e9089a546fa144e748696d6d75f958d66c80f4aa84585db0977323cf7e0c428857ff898db373a4f2edb5b4cb |
C:\Users\Admin\AppData\Local\WeMod\Update.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
C:\Users\Admin\AppData\Local\WeMod\Update.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
C:\Users\Admin\AppData\Local\WeMod\Update.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
memory/840-273-0x00000000003B0000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES
| MD5 | 2048a6e63ea6c66ea9001d9f51fe6c38 |
| SHA1 | 6faf9dc016628783068f5430da2d6ab6ee99846d |
| SHA256 | 52cc531dc4610e5fb892bc39bc91811a58096e9032f1c67f9f46555c1be3c32c |
| SHA512 | c4d47030b171a403d0990f769cc63ed109929ce3e9089a546fa144e748696d6d75f958d66c80f4aa84585db0977323cf7e0c428857ff898db373a4f2edb5b4cb |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar
| MD5 | 9b47f8546d1258078638930f63f255e5 |
| SHA1 | 0553dac387bbca7e2c8bca3feb52aff65048d688 |
| SHA256 | 2ef3023f110b9dd9de28bfa84d9fcfa1e6babd76b2bf0f6a92bd624a67ec1f45 |
| SHA512 | 614ca9bc4c792ddada2d8830c503197d547197d663ff08b8c89d2755ecdc9c83df1de3a7865e3c2cf4ebbc9892e1ae1534321bc564cbdd1652361d7fe4aa064d |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources.pak
| MD5 | f24c85d2b898b6b4de118f6a2e63a244 |
| SHA1 | 731adfc20807874b70bda7e2661e66ff6987e069 |
| SHA256 | aca9267dd8f530135d67240aa897112467bae77cd5fe1a549c69732fdf2803c6 |
| SHA512 | b49f6a4eb870b01b48b4cfbf5a73c1727cf7847a9505f7c11ce6befdbef868484867f6e0ac66aea8177ca5cab2abba1cae5ac626a8e3f44fc001cac0fe820c61 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\locales\en-US.pak
| MD5 | 3fef69b20e6f9599e9c2369398e571c0 |
| SHA1 | 92be2b65b62938e6426ab333c82d70d337666784 |
| SHA256 | a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c |
| SHA512 | 3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\chrome_200_percent.pak
| MD5 | 9c379fc04a7bf1a853b14834f58c9f4b |
| SHA1 | c105120fd00001c9ebdf2b3b981ecccb02f8eefb |
| SHA256 | b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48 |
| SHA512 | f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\chrome_100_percent.pak
| MD5 | 44a69827d4aa75426f3c577af2f8618e |
| SHA1 | 7bdd115425b05414b64dcdb7d980b92ecd3f15b3 |
| SHA256 | bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b |
| SHA512 | 5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\icon.ico
| MD5 | 34ee19ccd44f31cd831dc50920f19890 |
| SHA1 | 24545d2f4741fb5a4649840486ffd3597b7ade5b |
| SHA256 | 136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d |
| SHA512 | ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a |
memory/1940-296-0x00000000086C0000-0x00000000086C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RF6d316d.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/1536-331-0x000000000B7E0000-0x000000000B7E1000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\libEGL.dll
| MD5 | 8b967ad62cc99673cde56980ed63575d |
| SHA1 | ad32b4e7ccfea0df27f9859be34aec8805ac1422 |
| SHA256 | 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a |
| SHA512 | cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\libegl.dll
| MD5 | 8b967ad62cc99673cde56980ed63575d |
| SHA1 | ad32b4e7ccfea0df27f9859be34aec8805ac1422 |
| SHA256 | 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a |
| SHA512 | cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\libGLESv2.dll
| MD5 | 177e604afed9174818c288861079a67c |
| SHA1 | 251a142753a7231112939a43d4987e84c343e876 |
| SHA256 | dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6 |
| SHA512 | 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\libglesv2.dll
| MD5 | 177e604afed9174818c288861079a67c |
| SHA1 | 251a142753a7231112939a43d4987e84c343e876 |
| SHA256 | dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6 |
| SHA512 | 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\d3dcompiler_47.dll
| MD5 | ab3be0c427c6e405fad496db1545bd61 |
| SHA1 | 76012f31db8618624bc8b563698b2669365e49cb |
| SHA256 | 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6 |
| SHA512 | d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\D3DCompiler_47.dll
| MD5 | ab3be0c427c6e405fad496db1545bd61 |
| SHA1 | 76012f31db8618624bc8b563698b2669365e49cb |
| SHA256 | 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6 |
| SHA512 | d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1360eb7749d8b6aed29b771f5e7bf3d4 |
| SHA1 | 9ca7b1f207820c3ce2ac87bf6cd73ad697e54d30 |
| SHA256 | e40430c7f53c2f9d83228bfa594bb434068c140a7c88f27f86927d601bc62dd0 |
| SHA512 | 22a5a1fba9688c588eadfd6a2c88e196403f1edc1be2887aa61a50a1cfa39c186b44bbeec275146ef0689842965a0d223a519993adcfab96c7040ebdb90e1a64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1e9a7128562a7d2d62df4ccd9ffd53d4 |
| SHA1 | acbb88e41b0292955a8b9b11d822e5c4719e14a0 |
| SHA256 | 05b8c24c6005fe54d93d1c692a32aca01659d5db34551d654690502a26992bce |
| SHA512 | 776327dacbb3a0f580b3eb76a4530465ed8e00438ec8b8550cb1da9584a646636affffd7ad4b24f9906318cef32b1011d7944bd940e16cb5c7fdc6aeee057d99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | aa62f8ce77e072c8160c71b5df3099b0 |
| SHA1 | 06b8c07db93694a3fe73a4276283fabb0e20ac38 |
| SHA256 | 3eb4927c4d9097dc924fcde21b56d01d5d1ef61b7d22bfb6786e3b546b33e176 |
| SHA512 | 71724e837286c5f0eb2ee4ad01ac0304d4c7597bb2d46169c342821b0da04d8597491bd27ef80e817bc77031cd29d2182ccc82ef8ea3860696875f89427c8e0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 736778ba27094b65d798401dc16b584b |
| SHA1 | e2fa292b8081a3cecdd6710a52fab716b64e5549 |
| SHA256 | ee09f881665545d95a7fae340ebfbbba25752f2b9bc38c3251375675571dfe26 |
| SHA512 | 8b942de0917f2f0461206d1ad4c7538baa31f3e6c48e991ae6e2dc47d9c933a8330f67140eb6b7befc686cd014a35748d5901b16904012a8f843eb72c8f61128 |
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
| MD5 | 785460a10d3b9bb8e77cb0474dd405e6 |
| SHA1 | d905a695151b170d042fc60d938e1f978ab12e2e |
| SHA256 | 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5 |
| SHA512 | e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll
| MD5 | 6eb84bf78abc36ec975f0a72ec7d83d3 |
| SHA1 | b92944d2605822e2ffc5196ac299e2bf86c6e25f |
| SHA256 | db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc |
| SHA512 | 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll
| MD5 | 66cafd13877168b0062349a5a639e4fe |
| SHA1 | 3936afd07d22d44d033908ae6d56c58ff395d755 |
| SHA256 | 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84 |
| SHA512 | 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll
| MD5 | 66cafd13877168b0062349a5a639e4fe |
| SHA1 | 3936afd07d22d44d033908ae6d56c58ff395d755 |
| SHA256 | 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84 |
| SHA512 | 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll
| MD5 | 66cafd13877168b0062349a5a639e4fe |
| SHA1 | 3936afd07d22d44d033908ae6d56c58ff395d755 |
| SHA256 | 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84 |
| SHA512 | 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll
| MD5 | 66cafd13877168b0062349a5a639e4fe |
| SHA1 | 3936afd07d22d44d033908ae6d56c58ff395d755 |
| SHA256 | 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84 |
| SHA512 | 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll
| MD5 | 66cafd13877168b0062349a5a639e4fe |
| SHA1 | 3936afd07d22d44d033908ae6d56c58ff395d755 |
| SHA256 | 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84 |
| SHA512 | 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\vulkan-1.dll
| MD5 | 75bdb977c84aa352ae7dd7782f89611e |
| SHA1 | 62f9fe878d2972098895796b3d887f517951ddeb |
| SHA256 | a43f02de6304eadaf539b127a2f02f95492abca28588d6e0f8cb115388b231cb |
| SHA512 | 5ed525be689fbb2a74dd2eb35a2099781c1c2848da524bd0a9d07c69154e1d131e30a08c690bb541231fcd14303fd3a6922bfb8ad47955020aebd81dee569561 |
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vulkan-1.dll
| MD5 | 75bdb977c84aa352ae7dd7782f89611e |
| SHA1 | 62f9fe878d2972098895796b3d887f517951ddeb |
| SHA256 | a43f02de6304eadaf539b127a2f02f95492abca28588d6e0f8cb115388b231cb |
| SHA512 | 5ed525be689fbb2a74dd2eb35a2099781c1c2848da524bd0a9d07c69154e1d131e30a08c690bb541231fcd14303fd3a6922bfb8ad47955020aebd81dee569561 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\libEGL.dll
| MD5 | 8b967ad62cc99673cde56980ed63575d |
| SHA1 | ad32b4e7ccfea0df27f9859be34aec8805ac1422 |
| SHA256 | 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a |
| SHA512 | cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\libGLESv2.dll
| MD5 | 177e604afed9174818c288861079a67c |
| SHA1 | 251a142753a7231112939a43d4987e84c343e876 |
| SHA256 | dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6 |
| SHA512 | 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\d3dcompiler_47.dll
| MD5 | ab3be0c427c6e405fad496db1545bd61 |
| SHA1 | 76012f31db8618624bc8b563698b2669365e49cb |
| SHA256 | 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6 |
| SHA512 | d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba |
C:\Users\Admin\AppData\Local\WeMod\Update.exe
| MD5 | 2e4acb84ffaaf4ac65d1378491ea7ba8 |
| SHA1 | c927761e4512e2c9ef81d97c5a33a00c384fd0c7 |
| SHA256 | 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f |
| SHA512 | b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410 |
memory/1564-463-0x0000000000A30000-0x0000000000C0C000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
| MD5 | 74bdec2a1b6ee5cc7276f47d13edc48a |
| SHA1 | 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e |
| SHA256 | 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19 |
| SHA512 | a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30 |
memory/1564-464-0x0000000000330000-0x00000000003B0000-memory.dmp
C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
| MD5 | 74bdec2a1b6ee5cc7276f47d13edc48a |
| SHA1 | 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e |
| SHA256 | 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19 |
| SHA512 | a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30 |
\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
| MD5 | 74bdec2a1b6ee5cc7276f47d13edc48a |
| SHA1 | 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e |
| SHA256 | 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19 |
| SHA512 | a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30 |
memory/316-470-0x0000000000E30000-0x0000000000F20000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 8d61a48b09e8277da2c30d46aca2815e |
| SHA1 | b48573e903af3cc674621be6eb4a8cb02661ceb5 |
| SHA256 | 056a82ecb00397e5aefaecfe9ab398c617e2f7dc5c48b8be737716b217b1eb14 |
| SHA512 | 3040eea4a00cc7e58cf175ac3f4c3981b4baf9171bdf8fd708490946925a13611c64e31686773c4bb42d2264f7833f7a648b914d7aa6eef9f3f1c52dd4e8e842 |
memory/316-473-0x000000001AD60000-0x000000001ADE0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 55e9c7bec17ff0ea8965ed64b9ee7434 |
| SHA1 | 8efc7dc686c03d2ca4174b9343f4ec148eb2b485 |
| SHA256 | a7a15f716ac78e7971488733681ee041b50a93012e1c298f85a78798c66cfcf8 |
| SHA512 | e25e3c1a639d050e8074e65a4e0074a3117eafd3d9c33eb31dfd2bfd926b83ba706e3fa2c62625c6a2de2f06bff5babb893eef8f4baf7672230634d1f7d8c179 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1B711C0618BDC5AFF5E50F0E39F93100
| MD5 | 15208096a8fc1cbaf8f5fbf12a17f8c9 |
| SHA1 | 542712633c4a2ace3fa99469656a92f76e979a8f |
| SHA256 | 04f8d24394c291a5d75ad5c17a5f20742acbc79283ba87e955339daf3b94c23e |
| SHA512 | 5fa1e1f84838110332cf898a5c348fdac7ad64b86175b70d87ab57c8fd3bf097f5a24d9b2bd7159e15604f2e02c453a9df15ed44eabde2907c5174f0267d8082 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1B711C0618BDC5AFF5E50F0E39F93100
| MD5 | 03929d8d4f211ac2b7ddb35fb5321507 |
| SHA1 | 83a19a678430145676bf6210597055f179b69f3b |
| SHA256 | 7641a5d4bfb2300b18b5dc29ee6d02b206fbec260531170ff193ef853f2c9dc0 |
| SHA512 | 3f5cc1649d975cf41470ca09433160a500a3f7d826e8e902fce5eead98346daeb3e03a598bfda99c7ef515fa9e34ebcf73c4661a5fdf0f90e2255e23b74c091c |
memory/316-485-0x000000001AD60000-0x000000001ADE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-25 12:02
Reported
2023-04-25 12:05
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "35" | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4644 wrote to memory of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe |
| PID 4644 wrote to memory of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe |
| PID 4644 wrote to memory of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe |
| PID 1328 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe | C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe |
| PID 1328 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe | C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe" --silent
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wemod.com | udp |
| US | 104.26.6.92:443 | api.wemod.com | tcp |
| US | 8.8.8.8:53 | 92.6.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.136.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.26.6.92:443 | api.wemod.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| NL | 88.221.25.155:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| DE | 2.16.241.76:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | api.wemod.com | udp |
| US | 172.67.70.173:443 | api.wemod.com | tcp |
| US | 8.8.8.8:53 | storage-cdn.wemod.com | udp |
| US | 172.67.70.173:443 | storage-cdn.wemod.com | tcp |
| US | 8.8.8.8:53 | 76.241.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.70.67.172.in-addr.arpa | udp |
Files
memory/4644-133-0x000001C32F1C0000-0x000001C32F1E6000-memory.dmp
memory/4644-134-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-135-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-136-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-142-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-176-0x000001CB51630000-0x000001CB51DD6000-memory.dmp
memory/4644-177-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-178-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-179-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-180-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-181-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-182-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-183-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-184-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
memory/4644-185-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe
| MD5 | 93783e5cabf93a846258b4c26ba946eb |
| SHA1 | 60edcd657e40972af038f727a2bc79ce868884d4 |
| SHA256 | 4f6d19344d333591b683cc97719eef9f8c72af9a0ec5a1c61a00b385ebff0adf |
| SHA512 | a5e2ef394695dda6fb5a5775f39a2fcf9c4365a4b2c0e1f94a45c6df55b4271ccd1e272bb2f87cedea8e11b852d838a8c0e25f70867eda74408d61eea723182c |
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe
| MD5 | 02b4ad20729a5de71f1f52c0fd52f7b7 |
| SHA1 | d0504a3e9f73ee44284d9011e364ab91d698ffc4 |
| SHA256 | 14e1988f1d85a44485712faf1673fbedf87889961b0059c6cc888ce7fbeafb77 |
| SHA512 | 69a74e2f8b5710f70d98577d75dc524bbc844ad55986321813089e3cb78869180bb820c2dd3cb5dcc233064ab04f2652ab00c7269093cb8818e26fbc283a379d |
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
| MD5 | b43e5cf21598243f3078d787159d7bef |
| SHA1 | dbe552b5455966b2cc59e6786dac21610cbbea0e |
| SHA256 | 36fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80 |
| SHA512 | 8c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be |
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
| MD5 | b43e5cf21598243f3078d787159d7bef |
| SHA1 | dbe552b5455966b2cc59e6786dac21610cbbea0e |
| SHA256 | 36fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80 |
| SHA512 | 8c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be |
memory/4464-198-0x00000000000F0000-0x00000000002C6000-memory.dmp
memory/4464-199-0x0000000000990000-0x00000000009A0000-memory.dmp