dcd3241d6730d3380680fb83a8a2358b717cc99f2ba0866d2277fcc6f14d173e

Analysis

max time kernel
58s
max time network
207s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phasmophobia Trainer Setup.exe
Size

141KB
MD5

99c266ba4a0d7ba401a35f5400a39c70
SHA1

f4d944cf1a22505731cb0c908a8027f16cabeb0d
SHA256

dcd3241d6730d3380680fb83a8a2358b717cc99f2ba0866d2277fcc6f14d173e
SHA512

071e0144989e3791901a1e3a7942150486b30f895382fb91feb1da013bb6a6dabf8f345d8ef0e20093eef05c1c4f44a330868d83d8fe15ea67f5897d0cf9a72f
SSDEEP

3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	WeMod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	WeMod.exe

Executes dropped EXE 12 IoCs

pid	Process
268	WeMod-Setup-638479345736414000.exe
2748	Update.exe
668	Squirrel.exe
1200	WeMod.exe
2728	Update.exe
2792	Update.exe
2396	WeMod.exe
1932	WeMod.exe
2952	WeMod.exe
1948	WeMod.exe
1900	WeMod.exe
1404	WeMod.exe

Loads dropped DLL 11 IoCs

pid	Process
268	WeMod-Setup-638479345736414000.exe
1200	WeMod.exe
1200	WeMod.exe
2396	WeMod.exe
1932	WeMod.exe
1948	WeMod.exe
2952	WeMod.exe
1404	WeMod.exe
2952	WeMod.exe
2952	WeMod.exe
2952	WeMod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	Phasmophobia Trainer Setup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\URL Protocol	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\ = "URL:wemod"	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open\command	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.16.1\\WeMod.exe\" \"%1\""	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod	WeMod.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Phasmophobia Trainer Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Phasmophobia Trainer Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Phasmophobia Trainer Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Phasmophobia Trainer Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	Update.exe
2748	Update.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Phasmophobia Trainer Setup.exe
Token: SeDebugPrivilege	2748	Update.exe
Token: SeShutdownPrivilege	2396	WeMod.exe
Token: SeShutdownPrivilege	2396	WeMod.exe
Token: SeShutdownPrivilege	2396	WeMod.exe
Token: SeShutdownPrivilege	2396	WeMod.exe
Token: SeShutdownPrivilege	2396	WeMod.exe
Token: SeShutdownPrivilege	2396	WeMod.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1924	Phasmophobia Trainer Setup.exe
1924	Phasmophobia Trainer Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 1924 wrote to memory of 268	1924	Phasmophobia Trainer Setup.exe	29
PID 268 wrote to memory of 2748	268	WeMod-Setup-638479345736414000.exe	30
PID 268 wrote to memory of 2748	268	WeMod-Setup-638479345736414000.exe	30
PID 268 wrote to memory of 2748	268	WeMod-Setup-638479345736414000.exe	30
PID 268 wrote to memory of 2748	268	WeMod-Setup-638479345736414000.exe	30
PID 2748 wrote to memory of 668	2748	Update.exe	33
PID 2748 wrote to memory of 668	2748	Update.exe	33
PID 2748 wrote to memory of 668	2748	Update.exe	33
PID 2748 wrote to memory of 1200	2748	Update.exe	34
PID 2748 wrote to memory of 1200	2748	Update.exe	34
PID 2748 wrote to memory of 1200	2748	Update.exe	34
PID 2748 wrote to memory of 1200	2748	Update.exe	34
PID 1200 wrote to memory of 2728	1200	WeMod.exe	35
PID 1200 wrote to memory of 2728	1200	WeMod.exe	35
PID 1200 wrote to memory of 2728	1200	WeMod.exe	35
PID 1200 wrote to memory of 2728	1200	WeMod.exe	35
PID 1924 wrote to memory of 2792	1924	Phasmophobia Trainer Setup.exe	37
PID 1924 wrote to memory of 2792	1924	Phasmophobia Trainer Setup.exe	37
PID 1924 wrote to memory of 2792	1924	Phasmophobia Trainer Setup.exe	37
PID 2792 wrote to memory of 2396	2792	Update.exe	38
PID 2792 wrote to memory of 2396	2792	Update.exe	38
PID 2792 wrote to memory of 2396	2792	Update.exe	38
PID 2792 wrote to memory of 2396	2792	Update.exe	38
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39
PID 2396 wrote to memory of 2952	2396	WeMod.exe	39

C:\Users\Admin\AppData\Local\Temp\Phasmophobia Trainer Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Phasmophobia Trainer Setup.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638479345736414000.exe
  "C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638479345736414000.exe" --silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      4⤵
      Executes dropped EXE
      PID:668
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --squirrel-install 8.16.1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
        
        C:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe
        5⤵
        Executes dropped EXE
        
        PID:2728
- C:\Users\Admin\AppData\Local\WeMod\Update.exe
  "C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://titles/43830?_inst=Sdz6FrmfC9OQA5wy"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" wemod://titles/43830?_inst=Sdz6FrmfC9OQA5wy
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2952
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1228 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1932
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1392 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1948
    - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
        
        C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1712337817371_Out
        5⤵
        
        PID:1660
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=948 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:1436
  - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
      C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable
      4⤵
      PID:844
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2376 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:2188
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2632 --field-trial-handle=1100,i,8233332742172715917,18204445288941111600,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:1576

C:\Users\Admin\AppData\Local\WeMod\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\WeMod.exe"
1⤵
- Executes dropped EXE
PID:1900
- C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
  "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1404
- - C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=960 --field-trial-handle=1132,i,2053839818770856714,14785853122574049744,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e5eb4b0aa3d11c3bf97f598b2a2d11d

SHA1
adbda8f70a7ecc87b2872e67457c8dbd0e5cf8b9

SHA256
2bd12222ebe230ab73460896986f3b4d2bd5f046c8204a4c57ce72305d6b5099

SHA512
36f3d0cea0458aa376ec0764e9110452422b32fd081c87e75aa92aba4fc75cff736157d5972e5365fa62fb34fb200d7b80f628b58a6f591350c8b07823dde9ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c63e7791eebcfb14a0a2d671be6fd8d4

SHA1
53e291a49190f1d77dc61b2507f32fc547481b32

SHA256
498c63ef5af3648b73a40379b46453c87ce04aace6db3019cb426aeccfbbdec1

SHA512
3d822f2141c6c36cd8c121e5e43107e0eb7cb67a53d4a016a27d90d8b515548c21411b8c458614c68d7ec721a70a6cacc7c8a0f3d2dcd18e9fd857e04e97228f

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
77B

MD5
eb57d40350a65656c93c83deb4d62782

SHA1
aaf2dd180f11a3ba3c8da53f635910e0fd7a9c64

SHA256
0b328db09af31969dcd7987f65fa78c0fd6f01b4e51b59752dfb875a21b5d832

SHA512
ac65249088fea1e810ca0216c7cd842f5bb8cbfec78f6b7ae4566ce23fc643dad312856ecffd31525db842595d93fad20f78372d79da02603400c8dca524420e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\WeMod-8.16.1-full.nupkg

Filesize
99.9MB

MD5
59a0bacb9d0f7e5f1b195dfd683d0e72

SHA1
986ff93d69ed07ed967fa36be550f1a58ca2286d

SHA256
752d53f6529940694965ff22a9136a80b464a2750e326eeebde66eac4c08ccd5

SHA512
921690b07f50368630b59bf25ab3f2d649b2c7c2b344f7cb66270987645004a5f4179f42850f572b0b197fd534e12a696743b82538db4d3dbcc2109691bce5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar325D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638479345736414000.exe

Filesize
100.8MB

MD5
1c9da682268453db59f11b8129f827a3

SHA1
d34e82203d3be584ba02e15772de6a5fc0f52978

SHA256
120c915fd6c5b15eac234a676c94722985578483ee7883406ce6d40e76cca94b

SHA512
810589a1252d3f598289852e2889ea4ec745e7abb92463518c20901906449907cef94c4b803d64f86c36215634209ee74f6cdbcffe16382dd4c6faeb7c4aaa38

Download Submit
C:\Users\Admin\AppData\Local\WeMod\WeMod.exe

Filesize
536KB

MD5
962ad3ca5b38e18954d2992912369d49

SHA1
99a9c9d14f9f2ddaf7fd0818cc8b829c858b141d

SHA256
cfeab93bcfd99a583a0dd47197c0ead1c54a4ce94d19d777cb004eaa9a18f909

SHA512
0340397f3326a237332704112125e522fef1d967e408493a5674fc0a997fdb3e0fbe308dca9d5a9d4cf8d21addcbd9ad2e9a5f7e9e09239384a5af76152f2d52

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe

Filesize
130.2MB

MD5
337f0c70d43d402a28cfbddbcb821a2b

SHA1
c7d148c12b401a7fed082747ca565ff987db74f8

SHA256
41cef8681a124639bc6475c431180dc6312d13a4e9a94d1b589b7e0225b25cf0

SHA512
4e1dd04bc799ea3fb372137a33fa1d32e2f294a1573dcd4ccd0f1af65e99e86d469063b2859fab6e17548d8802f9cdc95d81f2aed32bcca7dc87efae790c89c8

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources.pak

Filesize
5.1MB

MD5
f5ab76d2b17459b5288b6269b0925890

SHA1
75be4046f33919340014a88815f415beb454a641

SHA256
4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c

SHA512
6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar

Filesize
7.1MB

MD5
539471ef86f782e5863248b43637b986

SHA1
d7622bb8c7d9c2000557831b266505aa66b9cf31

SHA256
9b2744abdcb0eff53c2763de1f6d3008037cca5392661a6e0893c05826603c39

SHA512
e5e16dd0fa89d1dc5e810f1bee50ae3c15dbc10702efd1b3534b1dc56ac965dd89ad5b5449554700576a41ee623bb0bb85eacb50e47162bd0adc71c59a9a651b

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\icon.ico

Filesize
279KB

MD5
34ee19ccd44f31cd831dc50920f19890

SHA1
24545d2f4741fb5a4649840486ffd3597b7ade5b

SHA256
136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

SHA512
ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\squirrel.exe

Filesize
1.8MB

MD5
dee4a16b8a08762e6d7abe7f71ad1b5b

SHA1
09248ab4df71826c4b9128b091a0e2cba6f63dd0

SHA256
7168ee307189a338fe189acc983899d552fa2652579bedd627ea83c91b33369d

SHA512
0ce9fb7fda310f77bfe5b6150ca0ff466e6c530e8ce77fe0f8ddfad478cf935d779c94ae912aac74bbd05efd86c6d7c3a5909d235ede56ae8d205404621885a3

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\v8_context_snapshot.bin

Filesize
585KB

MD5
b32cbc4a5ff34f441e8e0c264aa61849

SHA1
435d88a3e50ff85b6030c4c6e8918161fa340201

SHA256
4f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5

SHA512
7c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\vk_swiftshader.dll

Filesize
4.3MB

MD5
1bc5d8a0419f8d8ac2b2b7a74e9678ec

SHA1
c64f2f7f3b4b174866b4db8e720d809bed557b91

SHA256
f58c0177b48538f6ec2cfa3675cd9420ed82a50ff49185e7dd581a778c48b48e

SHA512
434181b1b4d5adfcaff457c31a0fdb4df77cf01da2cf4d7090e9f387f44006fc829b372f10ebb64e795e4f38096eb7678ab3c3ce539074d93e6f7b7845a3a79d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\FontLookupTableCache\font_unique_name_table.pb

Filesize
124KB

MD5
d1324708f4a47dd75eb6caed2c00bd18

SHA1
de0e6760c814d7e3434080bb7df99a1c6629cb94

SHA256
1fca1ef38e194c5d64926876f7e4c6e96df852eefb58ee12e294758498b6c439

SHA512
3f2283fbe2ca257fef694bde392cdfd414af6bd531efcf71df9f54a9373ff65f9a3f096b5e07c665c9111540d7453483f451ea2d0300aeabe85a2f62c577bc67

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Local State

Filesize
389B

MD5
270a1f8cbe226f678c4b56f6ae903e33

SHA1
cd12ce6f5876541f9dda17797c5bb164aa7a41e0

SHA256
5beb3ba36ded7a17000c651deae74d69bc69df721f9b23b64c80cc38b923819f

SHA512
d9f741b72578151d5dafd14c05a64b803b2d5fa8c78ae01e49147cbbfb51d588c293f7fff6d2e7ce8e893e3a1d16e046d12439f51bdcc6d76a4ca74ab53e94f8

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RFf770667.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\TransportSecurity

Filesize
526B

MD5
3464d9d38b00fe63150c3be5d4e345b1

SHA1
668a5c69c090d59f84de2ad753a365ace40352c2

SHA256
57d6862a3253a35ee67e15396dcd4eea82b043b92bdaf9ff5eeeba5c6c8b6087

SHA512
4b725d81534784d70a6207998fc5a1080839844cbea0bb8e6ed4cbda0de2f93c6fc96eec0b9b99ac383b73fa1a1f032599e8a472487d53994c833ed4ae0a7ba8

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\TransportSecurity

Filesize
526B

MD5
01c3d103049fe400b85b7f925f90f847

SHA1
3cc73889ebc51f5aa01d29ee2c67112c82a9a326

SHA256
cc7719a47df5b1a800d97d600ea12bdf829069d9639b761b139c5a20176bc58b

SHA512
ce65624f550327514c6041834a22b5734aa3320c881b7d744082aefd2a3d5ec3de460d016e1fab3422cb899cf26c60d0ae13695a505eee06bcf6f922595ca24a

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\TransportSecurity

Filesize
524B

MD5
4352b65206f32e08e0b94347c90f520c

SHA1
6d5301e15e2e3193f3d8ec71e41b6a476780d7ff

SHA256
911b422b1f2d68af2b03b17d0b09436e29dd823ab389e8a03128a9df784c60e1

SHA512
99aa73f21fc91aaf08f5fae8fa014894533dcaf868de1a08e74f298617ae82f094778bfd9d40d672a1b9023d967ecb0afc1de2fdb4645e0795a57d734f1db0c2

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Network\TransportSecurity

Filesize
526B

MD5
a30f75aa8136b3a29004d6432d05771a

SHA1
e2d04339aefaefc881f0f1eb0b7a295d05fce321

SHA256
cdcb5abe2c9cc2259c765f4c66756f153e0d26bed36359b6001394e949534f30

SHA512
abf6c113789cffd350273b4170169d99731fcad6fb4037284de002debd8e0e06e18251c18319bae8869045d91683c5486b9ef6c1edbc2b8043b97f6e5ac32a5a

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Network\bdb8dffc-16dc-438a-9b3d-79eb0ad299ac.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
750294620c347fcd51c9c7d3a91df1f6

SHA1
32f96f434b87f27ab55cc561d0773d0892bb49f9

SHA256
26ca155b98e36912ee537b55671e2bd5a75107d168168375e58a8b713ef2358f

SHA512
4e0acd0c093ca7b5b42b51e89fc90d58d3306c4847ff2f6e1cd5e6a1bea1a656c35528a017d0a4ab8d699c7d3e6756d0f61f031d66b09a5180a62d00e7568f87

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.16.1\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.16.1\ffmpeg.dll

Filesize
2.4MB

MD5
3621280d3e04d9643822ef8f5dc0fb91

SHA1
6a552d28c3d87908fb583eede8a3eab44ebbd259

SHA256
5ac630e962666a21346cf7efa20eb09ac2a45ae3110eaf6c28ad3ddc87533ed5

SHA512
9c655b0d5b72d57d49b5c94b406b5abdc2e1d668f40a7e754134655e333abf50cc96204b0d516dbcc4c74831ca7f3577756f7d6f0112bc610e8b3e59837333dd

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.16.1\libEGL.dll

Filesize
385KB

MD5
8b2fd69c70b2b1a64558893bbc9c1423

SHA1
f619e5b9202063221ffdd746aa4b630d07e3bc3c

SHA256
2eec2c76aa01b0562be3f76c539b1a5086a437d66254c7237c6562056f767fb8

SHA512
42ad67059380fa4be5d2481d2db282716cbe0dfa20d63ee88d3802c022c9fb088b313c686b849b5fe890d5f89f7ea3d4ecac0c64e201335fa74c5bde29f0ad25

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.16.1\libGLESv2.dll

Filesize
6.4MB

MD5
b309eccc727895e3b3481f9326bdcb41

SHA1
149f033e550de20f41311c46bb23fed09bb9201f

SHA256
9dfcd4d9b417f70e80c0b81b9e55a6be9800900d0c30e34fb6db12d5a094497c

SHA512
cba32db9d50c4c79b4a740b083baa5a7b24858d7608f0671a4abbc1aa63a738352fbda219ec7690e9b386eb1bcfb7765daebc1950c18e6c8bfe46a9387668827

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.16.1\vulkan-1.dll

Filesize
784KB

MD5
18b618dc84321794a818a665770d3720

SHA1
7dc7990452bd3c2e26dfdb7f14fdc38310b2ac79

SHA256
a7888b8651d16156fbe389ae25581332b7518f50535cadc1b7da554c98ddcbfa

SHA512
166d96a69ce08085d40d4207c2cb02fbda2ae51e2187c3e67ca08b6c05c2b31a77c39dd920ecc028f12854399eb2fcf48954904c36800bcc42a92d97d96a3a3a

Download Submit
memory/668-261-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/668-218-0x0000000000930000-0x0000000000B0C000-memory.dmp

Filesize
1.9MB

Download
memory/668-219-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/844-527-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/844-526-0x0000000000A00000-0x0000000000BDC000-memory.dmp

Filesize
1.9MB

Download
memory/844-529-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/844-539-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1436-847-0x000000000C510000-0x000000000C710000-memory.dmp

Filesize
2.0MB

Download
memory/1436-724-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-982-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-983-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-984-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-985-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-986-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-987-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-989-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-990-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-992-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-994-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-996-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-979-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-976-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-955-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-970-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-969-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-973-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-974-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-697-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-704-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-706-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-708-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-709-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-710-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-711-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-712-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-713-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-714-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-715-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-716-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-717-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-718-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-719-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-720-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-721-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-722-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-723-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-931-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-725-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-726-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-727-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-825-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-827-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-843-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-845-0x000000000E8E0000-0x000000000ECE0000-memory.dmp

Filesize
4.0MB

Download
memory/1436-927-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-849-0x000000000C510000-0x000000000C710000-memory.dmp

Filesize
2.0MB

Download
memory/1436-859-0x000000000C510000-0x000000000C710000-memory.dmp

Filesize
2.0MB

Download
memory/1436-862-0x000000000C510000-0x000000000C710000-memory.dmp

Filesize
2.0MB

Download
memory/1436-915-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1436-919-0x0000000014A40000-0x0000000015240000-memory.dmp

Filesize
8.0MB

Download
memory/1660-673-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1660-528-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1660-531-0x0000000000230000-0x0000000000320000-memory.dmp

Filesize
960KB

Download
memory/1660-534-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1660-585-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-3-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/1924-92-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-2-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/1924-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-282-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-75-0x0000000022A40000-0x00000000231E6000-memory.dmp

Filesize
7.6MB

Download
memory/1924-0-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/1924-90-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/2396-326-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2728-235-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-234-0x0000000000C80000-0x0000000000E56000-memory.dmp

Filesize
1.8MB

Download
memory/2728-244-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-237-0x000000001B6D0000-0x000000001B750000-memory.dmp

Filesize
512KB

Download
memory/2748-109-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-254-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-111-0x000000001A930000-0x000000001A9B0000-memory.dmp

Filesize
512KB

Download
memory/2748-108-0x0000000000810000-0x00000000009E6000-memory.dmp

Filesize
1.8MB

Download
memory/2792-264-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-266-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2792-271-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-263-0x0000000000870000-0x0000000000A4C000-memory.dmp

Filesize
1.9MB

Download
memory/2952-288-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download