22934a5c71b17fb562f6b3224cd71b47f24ad92517bc5784a19e4fa189a10e60

Analysis

max time kernel
1687s
max time network
1697s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeMod-8.13.14.exe
Size

101.8MB
MD5

3826395613e4a4605a650261ca5c0bf3
SHA1

5b60eb79956b81b62f8e2dcdf2dc0bd32437fcb5
SHA256

22934a5c71b17fb562f6b3224cd71b47f24ad92517bc5784a19e4fa189a10e60
SHA512

cc54cb6eca06d350c55877b3066a3cbf5d5634120f835fc3fc98a1c27ff87dc62f44ddb64caa509818fee2c75eac53b025ae27f80349626cca563f3f7cd8d9c3
SSDEEP

3145728:G40JUFwbJQt1b9+aL7xFOKAjXal9ZEDHCZ/:/ky0Wb9+aPrOKALg9AHCZ/

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 13 IoCs

pid	Process
2416	Update.exe
5140	Squirrel.exe
5212	WeMod.exe
5808	Update.exe
5968	WeMod.exe
6080	WeMod.exe
6116	WeMod.exe
5780	WeMod.exe
5896	WeMod.exe
5536	WeMod.exe
5316	Update.exe
2172	WeModAuxiliaryService.exe
5756	WeMod.exe

Loads dropped DLL 13 IoCs

pid	Process
5212	WeMod.exe
5968	WeMod.exe
6080	WeMod.exe
6116	WeMod.exe
5536	WeMod.exe
5896	WeMod.exe
5780	WeMod.exe
5780	WeMod.exe
5780	WeMod.exe
5780	WeMod.exe
5780	WeMod.exe
5756	WeMod.exe
5756	WeMod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeMod.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\URL Protocol	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\ = "URL:wemod"	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\shell\open\command	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\shell	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\shell\open	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.13.14\\WeMod.exe\" \"%1\""	WeMod.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WeMod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WeMod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WeMod.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4768	identity_helper.exe
4768	identity_helper.exe
2476	msedge.exe
2476	msedge.exe
2416	Update.exe
2416	Update.exe
5756	WeMod.exe
5756	WeMod.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	Update.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeDebugPrivilege	5316	Update.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe
Token: SeShutdownPrivilege	6116	WeMod.exe
Token: SeCreatePagefilePrivilege	6116	WeMod.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 2416	3316	WeMod-8.13.14.exe	99
PID 3316 wrote to memory of 2416	3316	WeMod-8.13.14.exe	99
PID 2416 wrote to memory of 5140	2416	Update.exe	104
PID 2416 wrote to memory of 5140	2416	Update.exe	104
PID 2416 wrote to memory of 5212	2416	Update.exe	105
PID 2416 wrote to memory of 5212	2416	Update.exe	105
PID 2416 wrote to memory of 5212	2416	Update.exe	105
PID 5212 wrote to memory of 5808	5212	WeMod.exe	107
PID 5212 wrote to memory of 5808	5212	WeMod.exe	107
PID 2416 wrote to memory of 5968	2416	Update.exe	109
PID 2416 wrote to memory of 5968	2416	Update.exe	109
PID 2416 wrote to memory of 5968	2416	Update.exe	109
PID 5968 wrote to memory of 6080	5968	WeMod.exe	115
PID 5968 wrote to memory of 6080	5968	WeMod.exe	115
PID 5968 wrote to memory of 6080	5968	WeMod.exe	115
PID 6080 wrote to memory of 6116	6080	WeMod.exe	110
PID 6080 wrote to memory of 6116	6080	WeMod.exe	110
PID 6080 wrote to memory of 6116	6080	WeMod.exe	110
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5780	6116	WeMod.exe	111
PID 6116 wrote to memory of 5896	6116	WeMod.exe	112
PID 6116 wrote to memory of 5896	6116	WeMod.exe	112
PID 6116 wrote to memory of 5896	6116	WeMod.exe	112
PID 6116 wrote to memory of 5536	6116	WeMod.exe	114
PID 6116 wrote to memory of 5536	6116	WeMod.exe	114
PID 6116 wrote to memory of 5536	6116	WeMod.exe	114

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.0.1861568509\261337891" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {617a7105-6d30-4c00-8f14-95a33e9297ec} 832 "\\.\pipe\gecko-crash-server-pipe.832" 1796 1e5c4bd5b58 gpu
1⤵
PID:4984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.1.1361340160\1020057531" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f322ff-37ff-4f6f-b343-b05123bc44ec} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2176 1e5c46e3258 socket
1⤵
- Checks processor information in registry
PID:2120

C:\Users\Admin\AppData\Local\Temp\WeMod-8.13.14.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-8.13.14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\Squirrel.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:5140
- - C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --squirrel-install 8.13.14
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5212
  - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
      C:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe
      4⤵
      Executes dropped EXE
      PID:5808
- - C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5968
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --type=relauncher --no-sandbox --- "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:6080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.2.670833145\1188468187" -childID 1 -isForBrowser -prefsHandle 2728 -prefMapHandle 2748 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1032 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b96fca8-1a92-4620-9f6b-10c6f9dd3d8e} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2812 1e5c96c6258 tab
1⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16078595241109603586,6448156222287725367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
1⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16078595241109603586,6448156222287725367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
1⤵
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.4.2078494101\667517312" -childID 3 -isForBrowser -prefsHandle 3368 -prefMapHandle 3372 -prefsLen 20927 -prefMapSize 233444 -jsInitHandle 1032 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ba8b3ac-28a2-44f0-a744-82ea28e610da} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3360 1e5c9b76258 tab
1⤵
PID:600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.5.1948846025\883792001" -childID 4 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 20927 -prefMapSize 233444 -jsInitHandle 1032 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63c2c7f4-3d96-4115-853b-88fb40dd0b29} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3652 1e5c9b75058 tab
1⤵
PID:1600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.3.1076068536\20471470" -childID 2 -isForBrowser -prefsHandle 3220 -prefMapHandle 3208 -prefsLen 20927 -prefMapSize 233444 -jsInitHandle 1032 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbc8bda0-698b-4b86-841e-4634df91f86b} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3232 1e5c9619658 tab
1⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,16078595241109603586,6448156222287725367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,16078595241109603586,6448156222287725367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.6.146375828\1212429721" -childID 5 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1032 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c664952b-c24a-4d6b-a5f5-d613eb16e6cf} 832 "\\.\pipe\gecko-crash-server-pipe.832" 4184 1e5c8514a58 tab
1⤵
PID:5372

C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
  "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1732,i,359420294906549393,15376306184536116871,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5780
- C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
  "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1948 --field-trial-handle=1732,i,359420294906549393,15376306184536116871,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5896
- C:\Users\Admin\AppData\Local\WeMod\Update.exe
  C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
  "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2336 --field-trial-handle=1732,i,359420294906549393,15376306184536116871,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5536
- - C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
    C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1708717292831_Out
    3⤵
    - Executes dropped EXE
    PID:2172
- C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe
  "C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1732,i,359420294906549393,15376306184536116871,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Filesize
1KB

MD5
6884f06e5e48278e875c48434c7e7d69

SHA1
e95d5626f455f989a37e62dbb71fd1147a6a18dd

SHA256
a2575cf61e66d6b0032cc832c80698cc53879e70fd9ebc9e0693947609443e2b

SHA512
a115434399f781f760fb4288c9b9cb0efc111f12ce4b17fde32439fa8fbfd61929c827f415856150e15501767d194c67cbbdac093a72d122e960a8fa75d8177a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
78B

MD5
5f17fdaca13b6cab13f040ed99f80b62

SHA1
0e10e5a102ed2f54bf2533f9a1cf8287562cdb2a

SHA256
44b80c687e11fc2cd07a93a94f2ac2d5467cc4e7c99af1fad9fdf6f8287d207b

SHA512
aa320c66b3844f92bb0eec5b79da1071fe2964edeadc709f08317b9eb72f6295bcdde6e9212fc3ff1707f6dbcb8a1a207e34b199c0b695b90e11f1665099ce64

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
704KB

MD5
fbf0674c257a019829ecb359e4445a09

SHA1
cdfae464ff1a4bfbd07001c77865319ab665789b

SHA256
56d3738c326b6cdceeb2c2357f672b494bd7a9769149b72ac8d8747e4c443115

SHA512
b6785974b744fc4dd98412299bed08dd5993a26365ef3c15ff65363935ec2b2c93c42f1681cea45936e05e8bc81fd63108cf7ac14cbe7864f772bb447a81e1e2

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
631KB

MD5
5b435761a2eb7defc5fb687478cd01d4

SHA1
862727ab35c4d76236aafb9f14834cf61a929956

SHA256
5bbe1835ef587f5d95e037e8d57acbb2a230dfe20b8e8c20f0d5be09bf137c89

SHA512
c977b4d989080cf9780a7e3dea7c8f5813d7dc27a5d9f938028aceadad2f760fc8c89d1ec2c199575a2f650dd1f96af8bca9fb70c617c90cef928a2ec16a2d16

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\WeMod-8.13.14-full.nupkg

Filesize
6.5MB

MD5
f19d1cb4c8af4f0dece4e0a4d3bf3dd5

SHA1
88ef0d3a057dcde3d86ac9b0299999b827e25bdb

SHA256
0ebced8c6db1e851f78f743a6b9103ef2a3bd304e1c574800c6c802adb277888

SHA512
1d202542783c61fabddc6ea88d2f74bbae93f84ef9a140a59eb670af021bf4574b9ef4c1c38332858ce7c3951ecf69240935396e2478dead194594ea09279f49

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
21KB

MD5
1d0394cf33c9bdf438c3b05fe4b8c617

SHA1
8b04090dc8ae8982247575680988a6fc037f61fc

SHA256
4762c5c406920b9b28f567859d3eef8623b6484166e43b33c7a04cd0f0684dfe

SHA512
7c3e92906159a6cb5ed1dde26d5ead5e4bb6f24219bf070c45c787851f17ed329e8074a634dd964026b691c8b0f568c66aa736ad0e04df0fa32306f565bcb95b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
24KB

MD5
e2fc5f7c4e479982f270a6d9daeaa7b9

SHA1
e6b2f2c381d64b588d80fc2d7754515972ca48ec

SHA256
9be0f7268db367235d785653b7da1cec8374bee92c42732299f7193f430edb1c

SHA512
42d657ac14903eccaa037e1b8e554b2f3a2ca1066dc23ca7f32f3fcc0da8714ad1c0f2cd295b1f65a9a9f4f7bda2bab2d1991cf07bf72c5b829668d2b92cfd5e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\Update.exe

Filesize
192KB

MD5
d2df86cc0c74877ae914e0155fd3a505

SHA1
48f2554581f7988099a444193e71a157fd517717

SHA256
2b5828971d3c1bdefd9fc7296b352eefd880932b4bb59ec02c9e9ed734d21f88

SHA512
fd5349e5ecfbd9da517fabab62dbceff667a318063c06e8acd1cbceafbd84b4a37db9dd3d2897128b8cb69526200556c2a15185e31150b60d126a0dd86cd87d6

Download Submit
C:\Users\Admin\AppData\Local\WeMod\Update.exe

Filesize
256KB

MD5
d8e9df82f641a6a7943265923050a97b

SHA1
ba1e584d0d0e95ba4c8b1bcd87ec4a95c6201e9d

SHA256
fbeba3c093e9c5c87d1aa3848a694fc945aa730e334bb1d8aad4fb87c9d53e92

SHA512
10c23fe6651e2568641c5e18fd582116a7a6246ea1136da36c4a56a571f473141cc91110697160755723d86549bdfc5ea11103d4c7c8b77ceacf518b684dde34

Download Submit
C:\Users\Admin\AppData\Local\WeMod\WeMod.exe

Filesize
536KB

MD5
881356788fbbaa56bb33ced545078648

SHA1
7b616a7335ec3672acf842bb57e1eaaca4f048c0

SHA256
019f8d3b2bd07f5795af642c7fbe606276cd97dd84cbfafd14cc695477714600

SHA512
8cf5b3aeb7682af9ccaa71be1c60101e96a714d5790547f12a87e36ee63452347b5d56dc60a4108286eb064ba4542ea3e4883c605659c1a4d4132feac0e30d27

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\D3DCompiler_47.dll

Filesize
3.8MB

MD5
f905cc97c6213feeb28bafa90466281e

SHA1
c725c61fa82c847d1f961b965a6198ba89a16527

SHA256
49159c5f3d77b0735096a7032e36c99efe60e1a7e3b14d7e3e058672d8775ba2

SHA512
3948e5338cb9de8621a11f2bec3f9c4f409ee1e9289f41cfff5d00a882ee1a411335f5a9fd7270e88862a805c52029c079cf3b155eae47d5d46ef942ce900c7e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
448KB

MD5
b3bb45526c5ae74d90e07f6bfe24da45

SHA1
55586ee2cf6a66acd00019c35058daa8c17de9aa

SHA256
fb32e53b5b784dd4b261a2b5a9d96c3101a8e34b618336b499cd5395cd7021c9

SHA512
47556acc3a2450a77307ac9411c6384a5a100879c29b3b895a7c405a0901e4984a590c5f28825406bada5f53b4908d8c6e71ccd370daa4daed11404559ff3776

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
768KB

MD5
031c2ae789feed944be362a0611abb23

SHA1
7dfafa51b078bc9eacf876062817eb4a7e6049a6

SHA256
641da98f4fe2aa21f48d5da8cf76fed5770b7e40c4be52877f6c9a4ee3518171

SHA512
f6f278efbc785a16c05155a4a9b812d898f52412efb597bb5bc5ca6ebcd4b372e6661db6dde7f42b3ca7df822d41a2f0830d9938a2608c99f5554e1abb40a621

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
192KB

MD5
d39395422e3aee8b0bc857a5b95b830e

SHA1
3b126c44791447c9585c8333c595a1f96f648d5f

SHA256
2719ae8e5fb39e130242c1fd1110a5096a870aa8a917569305013211cdcdd5da

SHA512
b6956fd22b0a7ef2bf01351193dc68809cb79d73ecbba98ea9495bec3d59be2facae3c3d2f8b30bdbc824b1c6f841676284ad8365b286986f23da71197dc9534

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
640KB

MD5
bc7cca668ba8c916752b99115478bf91

SHA1
1103afac2c0b140c371c75baca83ec65a2159e9a

SHA256
d9afe44526078b679bb9a45d0eb4115d8600632071b845cdfc811f77173c4a40

SHA512
5a9921bd8fbb343181fe9f0ce59dd1beed983bedb6130b51faee80525722d89df992443866a9251278fbf5922333a41e017b721d95262dddb05c069f46ba856c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
512KB

MD5
fc855c42899cf83cb7d122bfda393caf

SHA1
abd402ea4beaa662cd8507f0856be50093c9c521

SHA256
59925107e8ffab537c7dd7426d9c1c40484db69b57fb773130c86fa3391c49c6

SHA512
e0ee5bdda9c6986854a292c7b2fc37bd6591f34f3d992d2197fa8138ad2c0e5cd477841f6b08f1739d995b6473b83667db41679233e7d25e50801f6ff82e7e22

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
384KB

MD5
4ca8924561d627389b4a71acdf7f2dd8

SHA1
2e332446aa9920b106628f7ce0bd63c4e58b5784

SHA256
eeffb452e5ec4dc34003400b8cdc18258f6f78d525e83aaaae7f0f961b597dfc

SHA512
c483cd8f15f7184e868cd0f910a58aa5166efa3ebba70f2fba9236ebf65d38ef1d440fdbd51ac5008735a2d63574da08fe582f31906fc876bb5ab43542483471

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
1.8MB

MD5
695b102e621532d2a6b42ae8e3c97f0b

SHA1
ffb221af7ae761f7d347b589f4eb6a4ee0fda8f1

SHA256
b06ec8d40b3ecc5588dbb48a517ae54415c2be62646b9ed8fcbab0ae2bbebfd2

SHA512
fcc706c4121882391416456b17ee0d02abf15c855ff1221fedcec0a3c3ef8b013e8bd147c2151a4242177e7cfc8f72f0a75f181c949fac32e091f8655f4707dd

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\WeMod.exe

Filesize
23.3MB

MD5
03c0581d816c34aa9e4d613efa89ab52

SHA1
4d423a4d02101bddfbf1f93af3639f546c710046

SHA256
84eaa7ab7ccf88f55ecc88acb97519f5f27f5465d05c9461860020a34276413e

SHA512
dddb51d4bd12465b3b7d90d2d763c24716d4f7c7a858bd82848ff99ebb0e0018ba0dd6c8f4eeb4942bf442f8e83f139386873da0b9c90a415d3f74d6ea62ee57

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\d3dcompiler_47.dll

Filesize
384KB

MD5
3c5749ad2aaeb28cc216c8b443d0efad

SHA1
ac2ddcd600ee7d20cee84ee10db5e855146e0a15

SHA256
06bded2ba5be8a0fec6221703e680eba403ca83ad98a1b428a98ce7ede49eba2

SHA512
03bf07b3aa77c0dee742aec50cde264130bf2d063daee17c0baa44c03bed618bfec18d91f4013b87ae3d2f90393f70ff5526e2e3f575b9eac907371a37c0acc7

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
320KB

MD5
f22e75735d456b1843e19e7e4ed51bc2

SHA1
804c5d834216a06682761e361bbe1f51a96f318c

SHA256
1f9c36cf8c37cd8280ccf01f6e9b17e06cdf3a76c8241fb328424b3816f701da

SHA512
728a5a7881d9d09bf14b3d1f482b37d06cf8ac48850c98a5bb0b47404bb81e111e39a1d769cda154525e70ed4b5bc09b8f6f1ff02ed58f2bb13e4f3b995b8d24

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
128KB

MD5
c903ae0b561339bdb502a7d2e49f7e4d

SHA1
46d52923a8926ef51b0078ba8f47af0411220f46

SHA256
3786c0b59d26a92c00e5e16d296ab9f25f17780b29c5e0281cf8129c92ff6c6d

SHA512
c8fe4479c076f6e4312b942448f9846c20b10ed6ff70d5f00e1005a6b688db7cc7269cf4da868e8b6fad17ab3830cd11062ba6ded5abb7823ad0be41be333b59

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
600KB

MD5
b1cf854d1f3c47521013700086829b2d

SHA1
95735f7999354443053308449a414977c1d1b826

SHA256
098b2c6d43d3c9308a915b9ce9746287b991ea63ade1d2a8c2f37345ff020a75

SHA512
0c902ad58704ce383c3d14da821ac9ae37d6797f2388933e4267a78395168c88662e3983ffafb34c12066e39ed802c026bc45ce45b01481b6e2fbdb67cd9c605

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
512KB

MD5
b592cbebcf334596d8440d310aea7e90

SHA1
f64344a314428e148673af4413408ed5455bbc24

SHA256
31f3613a16551c9b4ec7ff5e9a20325eb2b9d3daf9202b3eb99a37f28ffb216b

SHA512
3632f846f9a8af130280b6ec461d4e20cf4a96fd47f61ae446cca3472cffe9d1b9e0ae8963ca49ca7738531f4a8ae5819260b084c9254558ad684489e3df636a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
115KB

MD5
d9301210c6a732fa6eb4e8050d9cac68

SHA1
6126a32f0632c096dbed077b020078737a6f8137

SHA256
fe2bb4bcb2f5f559b5635aee95e8b3fe9b37ee803d37fa10fdb57d0876a3da69

SHA512
766a8d13895bdc476a0026d9321a91acd0926aa9bed0e37b72f5ff3b13af2a87dbc021c218abf3d97ca7d171e966795cbca8d3d12cb96043530e214c36ee7330

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\ffmpeg.dll

Filesize
2.4MB

MD5
b2ce140738d01f5b9e6d92017d52ce14

SHA1
43485075ee7705c270ff097e1de9bac012d818d2

SHA256
a983c2e23889cfc954a6c9ab2eaec9b0a282502e0a9df070f70544a1d2daed69

SHA512
d3a39f14b17018a1c60cf3cfb5cf3c1f676d4af3d87398991a2c91c090a1734361d604da56a06b375a8e99fb967e354fa71af07deb872404db64178c4f61b935

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\icudtl.dat

Filesize
1024KB

MD5
8ed045fd85682ce2560fa50e060957bc

SHA1
9fe0c848ba39b1180aefa33a2d92225ff67b3e00

SHA256
d1bd6415c30f65de25f7b394a001cadf5154060070693e4547807b08d1a5fc6a

SHA512
49565f5960b25105219883664f457f1cc8334dae6479aec3fc3336c633ea35726ab0f5d126eaf509807753882b354795f3903154807dada481879dcf2e39ab13

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\libEGL.dll

Filesize
384KB

MD5
ebb65f4b83d2272f9be658f261655156

SHA1
aec5eab3f4e86d8e9f449c9bf96c5b77fc0d2b18

SHA256
c85706228e9988115f19a810fb4a71222b8ef086d7ecc3163e8658a30fd20b56

SHA512
f25db961d9508846f0177e3869ea0de51b264938564f2628d51698f9d857923b1f4ae9487d41440d64e31c6407a225ef759c590abe6004fdfcaffb90584e713f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\libGLESv2.dll

Filesize
320KB

MD5
4812c8cfefc2247028c95a9098518f23

SHA1
485cf501e1db418bb1b7c6649705d13793fc6210

SHA256
612b9801394eb083f77f5a134f0edcc85df093bde288311ed8a05424f24d45e2

SHA512
f2a185b73e765b6f83447ce0738100a1b4463bb30a29373ad75e627ac6c62d9b7c7459ced3be74ec0c0bc92ccf517fd8ec6f118c6e92224252b9166d86312efd

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\libegl.dll

Filesize
320KB

MD5
d25ff22d208d295e6bb2967471e3c36e

SHA1
cc5a2e2019249a40c9559c2aa053741d311d9707

SHA256
7137f34f06b96c8f0b005edaa8a75f9f2a525603f53a12813ff8a91de6b16628

SHA512
c78c4bc00e6e1191a13694cbb17c8703108a4d5a8d396b96158d98536dd2fa5fe43be05bc609d3589b5604bfb25641e920edde379821586e3df8422b44d2d4ba

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\libglesv2.dll

Filesize
384KB

MD5
9f8cbdc3ebc6003220b3a31497b4e0d2

SHA1
b94a698ff1a1db6c685ae2d2e7d1cca503d9d155

SHA256
04dac62c010764848ae268d4dc0596b2559b392532dcbd0cc28fbf7a6e26461d

SHA512
19158cf762f49db4eaa29d161615a99357e05fab6f12927b8b5f295c2eae2966f2a75532e543c479d82bc39814ad2e8a5e666970a8d7d5a3101f2593c97b23b1

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources.pak

Filesize
832KB

MD5
1c174d4136888fc34b1bfbd56d6efd28

SHA1
2bc8214a7e634ce17b5d0b3b670eca1df8ef6a83

SHA256
372afc04a9a871ec83576667ee50debe92433d4860147a8598cc71f67cd3a71f

SHA512
fdcb7e59cfd64d85403066c707acb8b7f56c6a3dec37872b3fa0c01504e3139f656e2dbc315d872a65b7185b19e5779ed889e907c1fff91bac96a3e5edce67f5

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar

Filesize
320KB

MD5
0c7e92e849c085f1b543b2f5fec30ad3

SHA1
63bc509c5623377f8e35d1e252f6a927def2c27f

SHA256
bd10e1e9bc389807f87f7d1ccea29b1beb61887bf0578ffc5ab4b859dcd1e8c3

SHA512
138e24d44688bca495e37189cbd54dee44306eaf1459e1b905b26ea387173a7c1c6a0db5dfbb5498dfb02b1ff4d0cae768143c0f5d5666ded2de09c8a0820992

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

Filesize
896KB

MD5
cac8ac0519f3b1439641ba4473251861

SHA1
f57c89f1695a1f56abb9546db80e97c6ffefbb35

SHA256
36cc146d0b35d81f25c2e263fd75b19cb567e4fef3345b3edba7c304b1b849d2

SHA512
871fb3f138d4cdf3f697bedfa6deb0279a0d5dbc11a3746dddb23e47e579772b8818758e1cd290182116555bcc2092d8155be1fe29104724f85f14e07e856acc

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

Filesize
704KB

MD5
0b849ed6e43eb3c4e56f28894457e150

SHA1
bc437811b3aa6c802315ef392802651bda5a70c4

SHA256
1e0bfc72430cd557dec5686c4bb79a4d20ecac78c4b0c5463a8eb7628f055215

SHA512
b02e99f48717d185e2471b86e0e126e5e45742b2ba45fae2310cbac672cfd8fee16347bbe6fc8a348990c0d0926483dda491b2522ba26d852c27ec465de3504e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\resources\app.asar.unpacked\static\unpacked\icon.ico

Filesize
279KB

MD5
34ee19ccd44f31cd831dc50920f19890

SHA1
24545d2f4741fb5a4649840486ffd3597b7ade5b

SHA256
136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

SHA512
ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\squirrel.exe

Filesize
128KB

MD5
90e257a8b328980953d9ecee76e2bce0

SHA1
b412154e85894cf9a939f2355a221c8fc106e58a

SHA256
d3b936b1e1138f297f27b35659324734e45a49d61b39914b88548c4d61104f1f

SHA512
dc518645856956a4e93fdc7b97cda4db490a4ca02211910765df86e4bb7f79503139f6781a682805d45da1c3ea2235b0c0bc56eb7e9021b330516fb90c90420c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\squirrel.exe

Filesize
1.8MB

MD5
be23fca9344465fa2f32a34483fca69d

SHA1
46d1d402b54a012aa93949aacd7969e01e8c7d41

SHA256
57b196bacf6c0f017979f19d7a7ce0d5bdc8dee00bc64dd3c125cd50e1c86a1c

SHA512
e692d7eec2beda298bd6f0118b325675045b4f6834d33548cae292d86fee96638432cd8c6653205ff6a38f35c6d5b79072da0621725307f87bcb9309095af8ff

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\v8_context_snapshot.bin

Filesize
585KB

MD5
b32cbc4a5ff34f441e8e0c264aa61849

SHA1
435d88a3e50ff85b6030c4c6e8918161fa340201

SHA256
4f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5

SHA512
7c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\vk_swiftshader.dll

Filesize
192KB

MD5
0ee6a4933f01ae6751142793aec53411

SHA1
05213c1fc521c11c5b8cbad08ceb51bcefb7abdb

SHA256
5422d4dc3c866c68567d3abe1d7d54af5f5ea29b22eb6f6ac8d941d438dc79a4

SHA512
4fe6ab313252c031c640c46cb134b5174bef66c3ab0b7970beba28727b615faaec892a534acc9d9aaafd8a940e40b49c6c2e6e8a8666dfd5bcca704d7b2f8b95

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.13.14\vk_swiftshader.dll

Filesize
4.3MB

MD5
460b4a1f4ea1bb747c059d0c20f712f0

SHA1
62326ddb53f0e9a503e204ad1141ad127f14a5b5

SHA256
b53d04189ad4830ec0d27657b5ee1c78d79166e2ecac7812e62fb61cfc3170f8

SHA512
be2d053e2dfa38e4180cc8403bbb7c2aa613f363aa3dcaad2d726d1714d156f622e7a6ab4418e130d793b00e5d560d84fa2a8c007bcb4f8e6204b273deda9ae0

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\WeMod-8.13.14-full.nupkg

Filesize
1.1MB

MD5
63c0fdcd24729c081519510c5b83c265

SHA1
538425265dca7a04f3876bfd9bcd19e59461e17d

SHA256
83507e0bafd8f4ea9559aa065157734bcfd74a95661b78ee36eac422ca2946d1

SHA512
8848b1e1970bc71f918abf03706b46268e4375538468e4730b99c9e64a6ba95971823208b8921eebdf87ecfe8d7646819c33818c3ead2a80e9674534181b7485

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\WeMod-8.13.14-full.nupkg

Filesize
1024KB

MD5
04f041c0765c33818e9b0e2331c37d93

SHA1
02df516c2c4243040f48e7569505793ce9225f3e

SHA256
0aaeba0783980723026313059fc54c7e310abf3192676121c1e7ce6298514af9

SHA512
da3a703fd995eb8e1f976f74ed1ec3b0c9d524a6058f1830eb3d59024ae10e0aa667a69053fe22cc7218167a8bbe02f35901b03c9dc2196582d9b0ae6ec6811e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\update.exe

Filesize
320KB

MD5
d6fd13fe329982735a4a29d1bf35fbe1

SHA1
e47a9b08608125af8b12df03a0626dcba5652de0

SHA256
407bc0983247f86ba90eef4f8ff9ec665417bc1f59fb233be2db4b9a0a871966

SHA512
9ce0051961cf96f0ab7b4940ef0a8e32021e2892e914ece6d98b3c69d348de6d88bd8243020f0a992353a7c041cb3ccadaa3b35dd8d0fb7053f976846b86c02e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\Network Persistent State

Filesize
584B

MD5
caad53add988a10bed6cb2340c540c79

SHA1
e9692d7b98286c01e49bc189bd4115d97aa1b8f8

SHA256
b3fb0953745c61d8439cd51ab7f2df71e47935dc14a1a634dd4302af84613306

SHA512
b5f6df9066418c3a9574f59cb06390544c36c88414d1d7e149839fd7afd3e937ca3e2a0a53eea93e45ec815d487d55d2fd56b7be99638aa3479fe69f6b8150af

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\Network Persistent State~RFe5953e3.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/2172-276-0x000001D34C6D0000-0x000001D34C6E0000-memory.dmp

Filesize
64KB

Download
memory/2172-273-0x000001D34AD00000-0x000001D34AD22000-memory.dmp

Filesize
136KB

Download
memory/2172-270-0x00007FF839370000-0x00007FF839E32000-memory.dmp

Filesize
10.8MB

Download
memory/2172-269-0x000001D34A7C0000-0x000001D34A8B0000-memory.dmp

Filesize
960KB

Download
memory/2172-305-0x000001D34C6D0000-0x000001D34C6E0000-memory.dmp

Filesize
64KB

Download
memory/2172-304-0x00007FF839370000-0x00007FF839E32000-memory.dmp

Filesize
10.8MB

Download
memory/2416-9-0x0000000000D00000-0x0000000000ED6000-memory.dmp

Filesize
1.8MB

Download
memory/2416-118-0x0000000020710000-0x000000002071E000-memory.dmp

Filesize
56KB

Download
memory/2416-173-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download
memory/2416-132-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/2416-11-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/2416-10-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download
memory/2416-116-0x0000000020740000-0x0000000020778000-memory.dmp

Filesize
224KB

Download
memory/5140-182-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download
memory/5140-130-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download
memory/5140-131-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/5140-128-0x0000000000410000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/5316-261-0x00007FF839370000-0x00007FF839E32000-memory.dmp

Filesize
10.8MB

Download
memory/5316-248-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/5316-251-0x000000001C350000-0x000000001C878000-memory.dmp

Filesize
5.2MB

Download
memory/5316-247-0x00007FF839370000-0x00007FF839E32000-memory.dmp

Filesize
10.8MB

Download
memory/5756-295-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-300-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-289-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-291-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-301-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-290-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-296-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-297-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-298-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5756-299-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/5808-156-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download
memory/5808-149-0x00000000014E0000-0x0000000001500000-memory.dmp

Filesize
128KB

Download
memory/5808-148-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/5808-146-0x00007FF837990000-0x00007FF838452000-memory.dmp

Filesize
10.8MB

Download