Malware Analysis Report

2025-08-10 12:45

Sample ID 230425-n7xzhaac27
Target Muck Trainer Setup.exe
SHA256 d5a5189d316e32de65535f17bbf55b372c3e9d4a504d198f180dfebaeaccb40d
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5a5189d316e32de65535f17bbf55b372c3e9d4a504d198f180dfebaeaccb40d

Threat Level: Known bad

The file Muck Trainer Setup.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-25 12:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-25 12:02

Reported

2023-04-25 12:05

Platform

win7-20230220-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.6.0\\WeMod.exe\" \"%1\"" C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\URL Protocol C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\ = "URL:wemod" C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\wemod\shell\open\command C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1928 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe
PID 1620 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe
PID 1620 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe
PID 1620 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe
PID 1620 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1620 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1620 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1620 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1928 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\WeMod\Update.exe
PID 1928 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\WeMod\Update.exe
PID 1928 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe C:\Users\Admin\AppData\Local\WeMod\Update.exe
PID 840 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\WeMod\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 840 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\WeMod\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 840 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\WeMod\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 840 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\WeMod\Update.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe
PID 1536 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe

"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe" --silent

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --squirrel-install 8.6.0

C:\Users\Admin\AppData\Local\WeMod\Update.exe

"C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://titles/50639?_inst=5xWlYPh7rrMnYbpM"

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" wemod://titles/50639?_inst=5xWlYPh7rrMnYbpM

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1040 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1600 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1224 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

"C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1040 --field-trial-handle=1092,i,4732601441589389280,9968691018896781111,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\WeMod\Update.exe

C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1682431511368_Out

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.wemod.com udp
US 104.26.6.92:443 api.wemod.com tcp
US 104.26.6.92:443 api.wemod.com tcp
US 104.26.6.92:443 api.wemod.com tcp
US 8.8.8.8:53 storage-cdn.wemod.com udp
US 104.26.7.92:443 storage-cdn.wemod.com tcp
US 104.26.7.92:443 storage-cdn.wemod.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com tcp
GB 216.58.208.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r3---sn-5hne6nsr.gvt1.com udp
NL 172.217.132.72:443 r3---sn-5hne6nsr.gvt1.com udp
NL 172.217.132.72:443 r3---sn-5hne6nsr.gvt1.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 104.26.6.92:443 storage-cdn.wemod.com tcp
NL 142.251.36.3:443 tcp
NL 142.250.102.154:443 tcp

Files

memory/1928-54-0x0000000000180000-0x00000000001A6000-memory.dmp

memory/1928-55-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1928-56-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1928-57-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1928-104-0x0000000022570000-0x0000000022D16000-memory.dmp

memory/1928-119-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1928-120-0x000000001AE60000-0x000000001AEE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180281996210000.exe

MD5 24985391366a2f90a132465022fb5f69
SHA1 f9564ca80e59a57a7fbc7b865c74ba079386b140
SHA256 689c4761b9897b14dbadf5dd833c603a2deecdeccfb1f7c5a6304b2afbe7cfee
SHA512 14bba15cb5d40ea02a40a227c2c57f63d65a9cbcc5448a7efe84f8c93648d5a7e9ebe2574e118fc775d34e73381af5096b3c4371efb2ef52de0effe776de657d

memory/1620-125-0x0000000000900000-0x0000000000AD6000-memory.dmp

memory/1928-126-0x000000001AE60000-0x000000001AEE0000-memory.dmp

memory/1620-128-0x0000000002080000-0x0000000002100000-memory.dmp

memory/660-162-0x00000000007F0000-0x0000000000850000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\squirrel.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

memory/1760-231-0x0000000000950000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\Squirrel.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\v8_context_snapshot.bin

MD5 dd9ca4878bba782613cba372de1c36f4
SHA1 2eefcb6fcaa4b2ed717c952895710be5701871a7
SHA256 ea33ca96024769386ae0ff100c2ae239507006d7340f1f8bbc5bcfb4195f9226
SHA512 0791d3827a6de5745d3424c562b16604cf311ed6fcb4cf62d2c7f54ec0b7f3535b1114e919d2ba6d144cbe9f45418a555ab3fd801078bd8d563a656796f5d4e6

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\icudtl.dat

MD5 cf9421b601645bda331c7136a0a9c3f8
SHA1 9950d66df9022f1caa941ab0e9647636f7b7a286
SHA256 8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5
SHA512 bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

C:\Users\Admin\AppData\Local\WeMod\packages\WeMod-8.6.0-full.nupkg

MD5 5b65b8e7c722ea3cdd852a60e3a47e48
SHA1 78caa65d63160b9b3364633ed0435b91eb116d8d
SHA256 1b663486c0bf5ea10ecc69c3eaa7b46c565f3cf6c1144dcde260fa8611cfb20f
SHA512 059e220748dcaf694edc308f9a16d90975c0cd098158256ac9e4f8a77364896e5bca1452448492c15f5e22f1a1c3b06a0e73da081a5713988b1686da47fb6d3d

C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES

MD5 2048a6e63ea6c66ea9001d9f51fe6c38
SHA1 6faf9dc016628783068f5430da2d6ab6ee99846d
SHA256 52cc531dc4610e5fb892bc39bc91811a58096e9032f1c67f9f46555c1be3c32c
SHA512 c4d47030b171a403d0990f769cc63ed109929ce3e9089a546fa144e748696d6d75f958d66c80f4aa84585db0977323cf7e0c428857ff898db373a4f2edb5b4cb

C:\Users\Admin\AppData\Local\WeMod\Update.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

C:\Users\Admin\AppData\Local\WeMod\Update.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

C:\Users\Admin\AppData\Local\WeMod\Update.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

memory/840-273-0x00000000003B0000-0x000000000058C000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES

MD5 2048a6e63ea6c66ea9001d9f51fe6c38
SHA1 6faf9dc016628783068f5430da2d6ab6ee99846d
SHA256 52cc531dc4610e5fb892bc39bc91811a58096e9032f1c67f9f46555c1be3c32c
SHA512 c4d47030b171a403d0990f769cc63ed109929ce3e9089a546fa144e748696d6d75f958d66c80f4aa84585db0977323cf7e0c428857ff898db373a4f2edb5b4cb

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar

MD5 9b47f8546d1258078638930f63f255e5
SHA1 0553dac387bbca7e2c8bca3feb52aff65048d688
SHA256 2ef3023f110b9dd9de28bfa84d9fcfa1e6babd76b2bf0f6a92bd624a67ec1f45
SHA512 614ca9bc4c792ddada2d8830c503197d547197d663ff08b8c89d2755ecdc9c83df1de3a7865e3c2cf4ebbc9892e1ae1534321bc564cbdd1652361d7fe4aa064d

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources.pak

MD5 f24c85d2b898b6b4de118f6a2e63a244
SHA1 731adfc20807874b70bda7e2661e66ff6987e069
SHA256 aca9267dd8f530135d67240aa897112467bae77cd5fe1a549c69732fdf2803c6
SHA512 b49f6a4eb870b01b48b4cfbf5a73c1727cf7847a9505f7c11ce6befdbef868484867f6e0ac66aea8177ca5cab2abba1cae5ac626a8e3f44fc001cac0fe820c61

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\locales\en-US.pak

MD5 3fef69b20e6f9599e9c2369398e571c0
SHA1 92be2b65b62938e6426ab333c82d70d337666784
SHA256 a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c
SHA512 3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\chrome_200_percent.pak

MD5 9c379fc04a7bf1a853b14834f58c9f4b
SHA1 c105120fd00001c9ebdf2b3b981ecccb02f8eefb
SHA256 b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48
SHA512 f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\chrome_100_percent.pak

MD5 44a69827d4aa75426f3c577af2f8618e
SHA1 7bdd115425b05414b64dcdb7d980b92ecd3f15b3
SHA256 bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b
SHA512 5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\icon.ico

MD5 34ee19ccd44f31cd831dc50920f19890
SHA1 24545d2f4741fb5a4649840486ffd3597b7ade5b
SHA256 136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d
SHA512 ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

memory/1940-296-0x00000000086C0000-0x00000000086C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RF6d316d.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1536-331-0x000000000B7E0000-0x000000000B7E1000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

\Users\Admin\AppData\Local\WeMod\app-8.6.0\libEGL.dll

MD5 8b967ad62cc99673cde56980ed63575d
SHA1 ad32b4e7ccfea0df27f9859be34aec8805ac1422
SHA256 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a
SHA512 cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\libegl.dll

MD5 8b967ad62cc99673cde56980ed63575d
SHA1 ad32b4e7ccfea0df27f9859be34aec8805ac1422
SHA256 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a
SHA512 cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3

\Users\Admin\AppData\Local\WeMod\app-8.6.0\libGLESv2.dll

MD5 177e604afed9174818c288861079a67c
SHA1 251a142753a7231112939a43d4987e84c343e876
SHA256 dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6
SHA512 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\libglesv2.dll

MD5 177e604afed9174818c288861079a67c
SHA1 251a142753a7231112939a43d4987e84c343e876
SHA256 dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6
SHA512 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a

\Users\Admin\AppData\Local\WeMod\app-8.6.0\d3dcompiler_47.dll

MD5 ab3be0c427c6e405fad496db1545bd61
SHA1 76012f31db8618624bc8b563698b2669365e49cb
SHA256 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6
SHA512 d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\D3DCompiler_47.dll

MD5 ab3be0c427c6e405fad496db1545bd61
SHA1 76012f31db8618624bc8b563698b2669365e49cb
SHA256 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6
SHA512 d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1360eb7749d8b6aed29b771f5e7bf3d4
SHA1 9ca7b1f207820c3ce2ac87bf6cd73ad697e54d30
SHA256 e40430c7f53c2f9d83228bfa594bb434068c140a7c88f27f86927d601bc62dd0
SHA512 22a5a1fba9688c588eadfd6a2c88e196403f1edc1be2887aa61a50a1cfa39c186b44bbeec275146ef0689842965a0d223a519993adcfab96c7040ebdb90e1a64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1e9a7128562a7d2d62df4ccd9ffd53d4
SHA1 acbb88e41b0292955a8b9b11d822e5c4719e14a0
SHA256 05b8c24c6005fe54d93d1c692a32aca01659d5db34551d654690502a26992bce
SHA512 776327dacbb3a0f580b3eb76a4530465ed8e00438ec8b8550cb1da9584a646636affffd7ad4b24f9906318cef32b1011d7944bd940e16cb5c7fdc6aeee057d99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 aa62f8ce77e072c8160c71b5df3099b0
SHA1 06b8c07db93694a3fe73a4276283fabb0e20ac38
SHA256 3eb4927c4d9097dc924fcde21b56d01d5d1ef61b7d22bfb6786e3b546b33e176
SHA512 71724e837286c5f0eb2ee4ad01ac0304d4c7597bb2d46169c342821b0da04d8597491bd27ef80e817bc77031cd29d2182ccc82ef8ea3860696875f89427c8e0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 736778ba27094b65d798401dc16b584b
SHA1 e2fa292b8081a3cecdd6710a52fab716b64e5549
SHA256 ee09f881665545d95a7fae340ebfbbba25752f2b9bc38c3251375675571dfe26
SHA512 8b942de0917f2f0461206d1ad4c7538baa31f3e6c48e991ae6e2dc47d9c933a8330f67140eb6b7befc686cd014a35748d5901b16904012a8f843eb72c8f61128

C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\WeMod.exe

MD5 785460a10d3b9bb8e77cb0474dd405e6
SHA1 d905a695151b170d042fc60d938e1f978ab12e2e
SHA256 3fcada77230aff52ca5b9ef42caa6162f96779a0f33112141b2387b27a6543e5
SHA512 e4ff932c345c4e1158071b43cd939ed5800cb22b3f90c01ed6ea8f46a489846546cd90f316914ac06c47d50d260ddc92ea5a58ece52b1edc6681548199ea90fa

\Users\Admin\AppData\Local\WeMod\app-8.6.0\ffmpeg.dll

MD5 6eb84bf78abc36ec975f0a72ec7d83d3
SHA1 b92944d2605822e2ffc5196ac299e2bf86c6e25f
SHA256 db04507fffccb8c42d921c1e659fa1687838b76c3fc2985619d61abebd8075cc
SHA512 5154c5e922b634e1538a30df48671002574bc674b606d05bfb572de48a2ef0410a5919ff3686c4b3cc617a49692d21e02aa6b24f8b9b0c23e853e709221c1c2e

\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll

MD5 66cafd13877168b0062349a5a639e4fe
SHA1 3936afd07d22d44d033908ae6d56c58ff395d755
SHA256 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84
SHA512 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901

\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll

MD5 66cafd13877168b0062349a5a639e4fe
SHA1 3936afd07d22d44d033908ae6d56c58ff395d755
SHA256 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84
SHA512 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901

\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll

MD5 66cafd13877168b0062349a5a639e4fe
SHA1 3936afd07d22d44d033908ae6d56c58ff395d755
SHA256 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84
SHA512 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901

\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll

MD5 66cafd13877168b0062349a5a639e4fe
SHA1 3936afd07d22d44d033908ae6d56c58ff395d755
SHA256 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84
SHA512 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader.dll

MD5 66cafd13877168b0062349a5a639e4fe
SHA1 3936afd07d22d44d033908ae6d56c58ff395d755
SHA256 270f2398c073b62660eb8ff492a8ed4c0b760b044d34a6b6fbaa42cf7cb78e84
SHA512 8d1d2f9516510ae7b0d4a7f401800092005b5da58d70d22a9b893bca52ca2d928708b558e7d95a18e540ccd3180dd038ae629326b3b8f6a89a6e12d61b399901

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

\Users\Admin\AppData\Local\WeMod\app-8.6.0\vulkan-1.dll

MD5 75bdb977c84aa352ae7dd7782f89611e
SHA1 62f9fe878d2972098895796b3d887f517951ddeb
SHA256 a43f02de6304eadaf539b127a2f02f95492abca28588d6e0f8cb115388b231cb
SHA512 5ed525be689fbb2a74dd2eb35a2099781c1c2848da524bd0a9d07c69154e1d131e30a08c690bb541231fcd14303fd3a6922bfb8ad47955020aebd81dee569561

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\vulkan-1.dll

MD5 75bdb977c84aa352ae7dd7782f89611e
SHA1 62f9fe878d2972098895796b3d887f517951ddeb
SHA256 a43f02de6304eadaf539b127a2f02f95492abca28588d6e0f8cb115388b231cb
SHA512 5ed525be689fbb2a74dd2eb35a2099781c1c2848da524bd0a9d07c69154e1d131e30a08c690bb541231fcd14303fd3a6922bfb8ad47955020aebd81dee569561

\Users\Admin\AppData\Local\WeMod\app-8.6.0\libEGL.dll

MD5 8b967ad62cc99673cde56980ed63575d
SHA1 ad32b4e7ccfea0df27f9859be34aec8805ac1422
SHA256 61c9a573c6f81b60ba4bbc5197580bbd79ece79872d20fcd3e105c9d286b8d5a
SHA512 cd259a87a4cf47fdc9bbb41685c7a60aa4b4b493849be8ae57dc2295fb146c57297da6b4b8de7145a69b25cb5526f48d559f7273c4f4a5a022cd3c66364a11a3

\Users\Admin\AppData\Local\WeMod\app-8.6.0\libGLESv2.dll

MD5 177e604afed9174818c288861079a67c
SHA1 251a142753a7231112939a43d4987e84c343e876
SHA256 dde9d5defb26f9380a576a7260e7b707139e8ee0440d2f2ac280f3244f17f9b6
SHA512 3c29ea51691060285c89ad5e1b507054c96d6e026b0147353e9c0601b64c6c64fe677184a4514972e0c40694617ef728fe58ad39079c905f30a87683e2f7198a

\Users\Admin\AppData\Local\WeMod\app-8.6.0\d3dcompiler_47.dll

MD5 ab3be0c427c6e405fad496db1545bd61
SHA1 76012f31db8618624bc8b563698b2669365e49cb
SHA256 827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6
SHA512 d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

C:\Users\Admin\AppData\Local\WeMod\Update.exe

MD5 2e4acb84ffaaf4ac65d1378491ea7ba8
SHA1 c927761e4512e2c9ef81d97c5a33a00c384fd0c7
SHA256 15a062eafbb7eceaf09142f9c39c8e4d998dd5a90700de81bcbe33a5ba34a35f
SHA512 b14858a9cb845c3a9339c0f77b26f5151a926700352e8482a4242aed86b7a04c6fe8a4fd8246456d8d188790527db40faebf3f5c7dfe3bd229f877ca1b36d410

memory/1564-463-0x0000000000A30000-0x0000000000C0C000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

MD5 74bdec2a1b6ee5cc7276f47d13edc48a
SHA1 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e
SHA256 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19
SHA512 a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30

memory/1564-464-0x0000000000330000-0x00000000003B0000-memory.dmp

C:\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

MD5 74bdec2a1b6ee5cc7276f47d13edc48a
SHA1 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e
SHA256 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19
SHA512 a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30

\Users\Admin\AppData\Local\WeMod\app-8.6.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

MD5 74bdec2a1b6ee5cc7276f47d13edc48a
SHA1 71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e
SHA256 7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19
SHA512 a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30

memory/316-470-0x0000000000E30000-0x0000000000F20000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 8d61a48b09e8277da2c30d46aca2815e
SHA1 b48573e903af3cc674621be6eb4a8cb02661ceb5
SHA256 056a82ecb00397e5aefaecfe9ab398c617e2f7dc5c48b8be737716b217b1eb14
SHA512 3040eea4a00cc7e58cf175ac3f4c3981b4baf9171bdf8fd708490946925a13611c64e31686773c4bb42d2264f7833f7a648b914d7aa6eef9f3f1c52dd4e8e842

memory/316-473-0x000000001AD60000-0x000000001ADE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 55e9c7bec17ff0ea8965ed64b9ee7434
SHA1 8efc7dc686c03d2ca4174b9343f4ec148eb2b485
SHA256 a7a15f716ac78e7971488733681ee041b50a93012e1c298f85a78798c66cfcf8
SHA512 e25e3c1a639d050e8074e65a4e0074a3117eafd3d9c33eb31dfd2bfd926b83ba706e3fa2c62625c6a2de2f06bff5babb893eef8f4baf7672230634d1f7d8c179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1B711C0618BDC5AFF5E50F0E39F93100

MD5 15208096a8fc1cbaf8f5fbf12a17f8c9
SHA1 542712633c4a2ace3fa99469656a92f76e979a8f
SHA256 04f8d24394c291a5d75ad5c17a5f20742acbc79283ba87e955339daf3b94c23e
SHA512 5fa1e1f84838110332cf898a5c348fdac7ad64b86175b70d87ab57c8fd3bf097f5a24d9b2bd7159e15604f2e02c453a9df15ed44eabde2907c5174f0267d8082

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1B711C0618BDC5AFF5E50F0E39F93100

MD5 03929d8d4f211ac2b7ddb35fb5321507
SHA1 83a19a678430145676bf6210597055f179b69f3b
SHA256 7641a5d4bfb2300b18b5dc29ee6d02b206fbec260531170ff193ef853f2c9dc0
SHA512 3f5cc1649d975cf41470ca09433160a500a3f7d826e8e902fce5eead98346daeb3e03a598bfda99c7ef515fa9e34ebcf73c4661a5fdf0f90e2255e23b74c091c

memory/316-485-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-25 12:02

Reported

2023-04-25 12:05

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"

Signatures

Downloads MZ/PE file

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "35" C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe

"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe" --silent

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.wemod.com udp
US 104.26.6.92:443 api.wemod.com tcp
US 8.8.8.8:53 92.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 126.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.26.6.92:443 api.wemod.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 20.189.173.5:443 tcp
NL 88.221.25.155:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
DE 2.16.241.76:443 assets.msn.com tcp
US 8.8.8.8:53 api.wemod.com udp
US 172.67.70.173:443 api.wemod.com tcp
US 8.8.8.8:53 storage-cdn.wemod.com udp
US 172.67.70.173:443 storage-cdn.wemod.com tcp
US 8.8.8.8:53 76.241.16.2.in-addr.arpa udp
US 8.8.8.8:53 173.70.67.172.in-addr.arpa udp

Files

memory/4644-133-0x000001C32F1C0000-0x000001C32F1E6000-memory.dmp

memory/4644-134-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-135-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-136-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-142-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-176-0x000001CB51630000-0x000001CB51DD6000-memory.dmp

memory/4644-177-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-178-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-179-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-180-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-181-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-182-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-183-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-184-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

memory/4644-185-0x000001C32F5B0000-0x000001C32F5C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe

MD5 93783e5cabf93a846258b4c26ba946eb
SHA1 60edcd657e40972af038f727a2bc79ce868884d4
SHA256 4f6d19344d333591b683cc97719eef9f8c72af9a0ec5a1c61a00b385ebff0adf
SHA512 a5e2ef394695dda6fb5a5775f39a2fcf9c4365a4b2c0e1f94a45c6df55b4271ccd1e272bb2f87cedea8e11b852d838a8c0e25f70867eda74408d61eea723182c

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe

MD5 02b4ad20729a5de71f1f52c0fd52f7b7
SHA1 d0504a3e9f73ee44284d9011e364ab91d698ffc4
SHA256 14e1988f1d85a44485712faf1673fbedf87889961b0059c6cc888ce7fbeafb77
SHA512 69a74e2f8b5710f70d98577d75dc524bbc844ad55986321813089e3cb78869180bb820c2dd3cb5dcc233064ab04f2652ab00c7269093cb8818e26fbc283a379d

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 b43e5cf21598243f3078d787159d7bef
SHA1 dbe552b5455966b2cc59e6786dac21610cbbea0e
SHA256 36fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80
SHA512 8c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 b43e5cf21598243f3078d787159d7bef
SHA1 dbe552b5455966b2cc59e6786dac21610cbbea0e
SHA256 36fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80
SHA512 8c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be

memory/4464-198-0x00000000000F0000-0x00000000002C6000-memory.dmp

memory/4464-199-0x0000000000990000-0x00000000009A0000-memory.dmp