Analysis

  • max time kernel
    1049s
  • max time network
    838s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/04/2024, 21:49

General

  • Target

    WeMod-Setup.exe

  • Size

    141KB

  • MD5

    6eea550d20eb78a505428431d8599581

  • SHA1

    e6a5c169eb1b203987863d611511648b9a1208bc

  • SHA256

    9865a54dc5191d22de1b27be4be1e0babe609d5e671d3a62b68cff975ad8071d

  • SHA512

    e5a13f8829019c4bbe9eae105a1e2a0a4a3e740292d050e47e6df7ae12712b7f75d5293ab4710758816ccfe31e45495ba7fafbe58e3962335bd23cf45abaabb3

  • SSDEEP

    3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 20 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 7 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638482098099970000.exe
      "C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638482098099970000.exe" --silent
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
          4⤵
          • Executes dropped EXE
          PID:2396
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --squirrel-install 8.16.1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Local\WeMod\Update.exe
            C:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe
            5⤵
            • Executes dropped EXE
            PID:380
    • C:\Users\Admin\AppData\Local\WeMod\Update.exe
      "C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://?_inst=nY1ISe9HSMpgSrJn"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
        "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" wemod://?_inst=nY1ISe9HSMpgSrJn
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3032
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1308 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2932
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1520 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          PID:756
          • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
            C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1712613037304_Out
            5⤵
            • Executes dropped EXE
            PID:2508
        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe
          "C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=948 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2132
        • C:\Users\Admin\AppData\Local\WeMod\Update.exe
          C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2748

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

          Filesize

          1KB

          MD5

          e744b211753f45b387e00af2aae69c6b

          SHA1

          23beb8357e158d3a162524b96495f293853b8147

          SHA256

          bfde85cbb4f9503779c19c8ed8a463e2782028fed2ee0726cc55018856baed9e

          SHA512

          c4ccacdfe546522ca8be841b535005f688d250a2d9a68011d5181bf07ae6466785c3dd0c647c6930ed7627d65ca928e4397fd61ae46331b41a110ba76b3962bb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

          Filesize

          408B

          MD5

          b10664206c67c22168d75f2814d92e80

          SHA1

          7f7b31490faa972af0de1d8f6e6121f0cbe85211

          SHA256

          c1fb336edaf274099c94bd36ce270095d72fe2cf9550dcd543d73d1d4d498489

          SHA512

          3269ff3df819f9a8fc07fb32e979c6f2ab9b6666ff94ec8a71fa8e96b7f7b95093ff6eda306cdf838f36a956ecec85a3662666ba70901267e642dbc3e51bd881

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          ed3a46e589d8d0f0b924076d7349bdbe

          SHA1

          001a9c0a5ea5c67c10bbdcb58121d2599eab2c9c

          SHA256

          2d128066dcecd1bbe620a849612d8a4e569870b59a0ee6a390d92c06ef884e98

          SHA512

          2704e991ff9fa5bf9c5e2ecc248c5582831282c72b21898982f9ac639ac22303b238f9945dbaedc6170137f2335bfca8380482e49cfc64dec0081d3cc7189913

        • C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

          Filesize

          77B

          MD5

          eb57d40350a65656c93c83deb4d62782

          SHA1

          aaf2dd180f11a3ba3c8da53f635910e0fd7a9c64

          SHA256

          0b328db09af31969dcd7987f65fa78c0fd6f01b4e51b59752dfb875a21b5d832

          SHA512

          ac65249088fea1e810ca0216c7cd842f5bb8cbfec78f6b7ae4566ce23fc643dad312856ecffd31525db842595d93fad20f78372d79da02603400c8dca524420e

        • C:\Users\Admin\AppData\Local\SquirrelTemp\WeMod-8.16.1-full.nupkg

          Filesize

          99.9MB

          MD5

          59a0bacb9d0f7e5f1b195dfd683d0e72

          SHA1

          986ff93d69ed07ed967fa36be550f1a58ca2286d

          SHA256

          752d53f6529940694965ff22a9136a80b464a2750e326eeebde66eac4c08ccd5

          SHA512

          921690b07f50368630b59bf25ab3f2d649b2c7c2b344f7cb66270987645004a5f4179f42850f572b0b197fd534e12a696743b82538db4d3dbcc2109691bce5ef

        • C:\Users\Admin\AppData\Local\Temp\Tar2498.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638482098099970000.exe

          Filesize

          100.8MB

          MD5

          1c9da682268453db59f11b8129f827a3

          SHA1

          d34e82203d3be584ba02e15772de6a5fc0f52978

          SHA256

          120c915fd6c5b15eac234a676c94722985578483ee7883406ce6d40e76cca94b

          SHA512

          810589a1252d3f598289852e2889ea4ec745e7abb92463518c20901906449907cef94c4b803d64f86c36215634209ee74f6cdbcffe16382dd4c6faeb7c4aaa38

        • C:\Users\Admin\AppData\Local\WeMod\WeMod.exe

          Filesize

          536KB

          MD5

          962ad3ca5b38e18954d2992912369d49

          SHA1

          99a9c9d14f9f2ddaf7fd0818cc8b829c858b141d

          SHA256

          cfeab93bcfd99a583a0dd47197c0ead1c54a4ce94d19d777cb004eaa9a18f909

          SHA512

          0340397f3326a237332704112125e522fef1d967e408493a5674fc0a997fdb3e0fbe308dca9d5a9d4cf8d21addcbd9ad2e9a5f7e9e09239384a5af76152f2d52

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe

          Filesize

          1.8MB

          MD5

          dee4a16b8a08762e6d7abe7f71ad1b5b

          SHA1

          09248ab4df71826c4b9128b091a0e2cba6f63dd0

          SHA256

          7168ee307189a338fe189acc983899d552fa2652579bedd627ea83c91b33369d

          SHA512

          0ce9fb7fda310f77bfe5b6150ca0ff466e6c530e8ce77fe0f8ddfad478cf935d779c94ae912aac74bbd05efd86c6d7c3a5909d235ede56ae8d205404621885a3

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe

          Filesize

          130.2MB

          MD5

          337f0c70d43d402a28cfbddbcb821a2b

          SHA1

          c7d148c12b401a7fed082747ca565ff987db74f8

          SHA256

          41cef8681a124639bc6475c431180dc6312d13a4e9a94d1b589b7e0225b25cf0

          SHA512

          4e1dd04bc799ea3fb372137a33fa1d32e2f294a1573dcd4ccd0f1af65e99e86d469063b2859fab6e17548d8802f9cdc95d81f2aed32bcca7dc87efae790c89c8

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\chrome_100_percent.pak

          Filesize

          126KB

          MD5

          d31f3439e2a3f7bee4ddd26f46a2b83f

          SHA1

          c5a26f86eb119ae364c5bf707bebed7e871fc214

          SHA256

          9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

          SHA512

          aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\chrome_200_percent.pak

          Filesize

          175KB

          MD5

          5604b67e3f03ab2741f910a250c91137

          SHA1

          a4bb15ac7914c22575f1051a29c448f215fe027f

          SHA256

          1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

          SHA512

          5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\icudtl.dat

          Filesize

          10.0MB

          MD5

          76bef9b8bb32e1e54fe1054c97b84a10

          SHA1

          05dfea2a3afeda799ab01bb7fbce628cacd596f4

          SHA256

          97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

          SHA512

          7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\locales\en-US.pak

          Filesize

          313KB

          MD5

          3f6f4b2c2f24e3893882cdaa1ccfe1a3

          SHA1

          b021cca30e774e0b91ee21b5beb030fea646098f

          SHA256

          bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

          SHA512

          bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources.pak

          Filesize

          5.1MB

          MD5

          f5ab76d2b17459b5288b6269b0925890

          SHA1

          75be4046f33919340014a88815f415beb454a641

          SHA256

          4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c

          SHA512

          6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar

          Filesize

          7.1MB

          MD5

          539471ef86f782e5863248b43637b986

          SHA1

          d7622bb8c7d9c2000557831b266505aa66b9cf31

          SHA256

          9b2744abdcb0eff53c2763de1f6d3008037cca5392661a6e0893c05826603c39

          SHA512

          e5e16dd0fa89d1dc5e810f1bee50ae3c15dbc10702efd1b3534b1dc56ac965dd89ad5b5449554700576a41ee623bb0bb85eacb50e47162bd0adc71c59a9a651b

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

          Filesize

          945KB

          MD5

          74bdec2a1b6ee5cc7276f47d13edc48a

          SHA1

          71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e

          SHA256

          7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19

          SHA512

          a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\icon.ico

          Filesize

          279KB

          MD5

          34ee19ccd44f31cd831dc50920f19890

          SHA1

          24545d2f4741fb5a4649840486ffd3597b7ade5b

          SHA256

          136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

          SHA512

          ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\v8_context_snapshot.bin

          Filesize

          585KB

          MD5

          b32cbc4a5ff34f441e8e0c264aa61849

          SHA1

          435d88a3e50ff85b6030c4c6e8918161fa340201

          SHA256

          4f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5

          SHA512

          7c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e

        • C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\vk_swiftshader_icd.json

          Filesize

          106B

          MD5

          8642dd3a87e2de6e991fae08458e302b

          SHA1

          9c06735c31cec00600fd763a92f8112d085bd12a

          SHA256

          32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

          SHA512

          f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

        • C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_0

          Filesize

          8KB

          MD5

          cf89d16bb9107c631daabf0c0ee58efb

          SHA1

          3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

          SHA256

          d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

          SHA512

          8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

        • C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_2

          Filesize

          8KB

          MD5

          0962291d6d367570bee5454721c17e11

          SHA1

          59d10a893ef321a706a9255176761366115bedcb

          SHA256

          ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

          SHA512

          f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

        • C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_3

          Filesize

          8KB

          MD5

          41876349cb12d6db992f1309f22df3f0

          SHA1

          5cf26b3420fc0302cd0a71e8d029739b8765be27

          SHA256

          e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

          SHA512

          e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

        • C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RFf76a14e.TMP

          Filesize

          16B

          MD5

          46295cac801e5d4857d09837238a6394

          SHA1

          44e0fa1b517dbf802b18faf0785eeea6ac51594b

          SHA256

          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

          SHA512

          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

        • \Users\Admin\AppData\Local\SquirrelTemp\Update.exe

          Filesize

          1.8MB

          MD5

          750294620c347fcd51c9c7d3a91df1f6

          SHA1

          32f96f434b87f27ab55cc561d0773d0892bb49f9

          SHA256

          26ca155b98e36912ee537b55671e2bd5a75107d168168375e58a8b713ef2358f

          SHA512

          4e0acd0c093ca7b5b42b51e89fc90d58d3306c4847ff2f6e1cd5e6a1bea1a656c35528a017d0a4ab8d699c7d3e6756d0f61f031d66b09a5180a62d00e7568f87

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\d3dcompiler_47.dll

          Filesize

          3.9MB

          MD5

          ab3be0c427c6e405fad496db1545bd61

          SHA1

          76012f31db8618624bc8b563698b2669365e49cb

          SHA256

          827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

          SHA512

          d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          3621280d3e04d9643822ef8f5dc0fb91

          SHA1

          6a552d28c3d87908fb583eede8a3eab44ebbd259

          SHA256

          5ac630e962666a21346cf7efa20eb09ac2a45ae3110eaf6c28ad3ddc87533ed5

          SHA512

          9c655b0d5b72d57d49b5c94b406b5abdc2e1d668f40a7e754134655e333abf50cc96204b0d516dbcc4c74831ca7f3577756f7d6f0112bc610e8b3e59837333dd

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\libEGL.dll

          Filesize

          385KB

          MD5

          8b2fd69c70b2b1a64558893bbc9c1423

          SHA1

          f619e5b9202063221ffdd746aa4b630d07e3bc3c

          SHA256

          2eec2c76aa01b0562be3f76c539b1a5086a437d66254c7237c6562056f767fb8

          SHA512

          42ad67059380fa4be5d2481d2db282716cbe0dfa20d63ee88d3802c022c9fb088b313c686b849b5fe890d5f89f7ea3d4ecac0c64e201335fa74c5bde29f0ad25

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\libGLESv2.dll

          Filesize

          6.4MB

          MD5

          b309eccc727895e3b3481f9326bdcb41

          SHA1

          149f033e550de20f41311c46bb23fed09bb9201f

          SHA256

          9dfcd4d9b417f70e80c0b81b9e55a6be9800900d0c30e34fb6db12d5a094497c

          SHA512

          cba32db9d50c4c79b4a740b083baa5a7b24858d7608f0671a4abbc1aa63a738352fbda219ec7690e9b386eb1bcfb7765daebc1950c18e6c8bfe46a9387668827

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\vk_swiftshader.dll

          Filesize

          4.3MB

          MD5

          1bc5d8a0419f8d8ac2b2b7a74e9678ec

          SHA1

          c64f2f7f3b4b174866b4db8e720d809bed557b91

          SHA256

          f58c0177b48538f6ec2cfa3675cd9420ed82a50ff49185e7dd581a778c48b48e

          SHA512

          434181b1b4d5adfcaff457c31a0fdb4df77cf01da2cf4d7090e9f387f44006fc829b372f10ebb64e795e4f38096eb7678ab3c3ce539074d93e6f7b7845a3a79d

        • \Users\Admin\AppData\Local\WeMod\app-8.16.1\vulkan-1.dll

          Filesize

          784KB

          MD5

          18b618dc84321794a818a665770d3720

          SHA1

          7dc7990452bd3c2e26dfdb7f14fdc38310b2ac79

          SHA256

          a7888b8651d16156fbe389ae25581332b7518f50535cadc1b7da554c98ddcbfa

          SHA512

          166d96a69ce08085d40d4207c2cb02fbda2ae51e2187c3e67ca08b6c05c2b31a77c39dd920ecc028f12854399eb2fcf48954904c36800bcc42a92d97d96a3a3a

        • memory/380-235-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/380-244-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/380-234-0x0000000000190000-0x0000000000366000-memory.dmp

          Filesize

          1.8MB

        • memory/380-237-0x000000001B570000-0x000000001B5F0000-memory.dmp

          Filesize

          512KB

        • memory/1412-111-0x000000001B680000-0x000000001B700000-memory.dmp

          Filesize

          512KB

        • memory/1412-254-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/1412-108-0x0000000000D50000-0x0000000000F26000-memory.dmp

          Filesize

          1.8MB

        • memory/1412-109-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/1504-282-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/1504-0-0x0000000001100000-0x0000000001126000-memory.dmp

          Filesize

          152KB

        • memory/1504-94-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/1504-90-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

          Filesize

          64KB

        • memory/1504-75-0x00000000223E0000-0x0000000022B86000-memory.dmp

          Filesize

          7.6MB

        • memory/1504-3-0x000000001A8D0000-0x000000001A950000-memory.dmp

          Filesize

          512KB

        • memory/1504-2-0x000000001A8D0000-0x000000001A950000-memory.dmp

          Filesize

          512KB

        • memory/1504-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2332-266-0x000000001B8C0000-0x000000001B940000-memory.dmp

          Filesize

          512KB

        • memory/2332-263-0x0000000001030000-0x000000000120C000-memory.dmp

          Filesize

          1.9MB

        • memory/2332-272-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2332-264-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2396-218-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2396-260-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2396-217-0x00000000003A0000-0x000000000057C000-memory.dmp

          Filesize

          1.9MB

        • memory/2508-451-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

          Filesize

          9.9MB

        • memory/2508-452-0x0000000000360000-0x0000000000450000-memory.dmp

          Filesize

          960KB

        • memory/2508-453-0x0000000001FE0000-0x0000000002060000-memory.dmp

          Filesize

          512KB

        • memory/2508-516-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

          Filesize

          9.9MB

        • memory/2508-517-0x0000000001FE0000-0x0000000002060000-memory.dmp

          Filesize

          512KB

        • memory/2632-337-0x0000000000B90000-0x0000000000B91000-memory.dmp

          Filesize

          4KB

        • memory/2748-446-0x000000001B560000-0x000000001B5E0000-memory.dmp

          Filesize

          512KB

        • memory/2748-458-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

          Filesize

          9.9MB

        • memory/2748-444-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

          Filesize

          9.9MB

        • memory/2748-445-0x00000000003B0000-0x000000000058C000-memory.dmp

          Filesize

          1.9MB

        • memory/3032-287-0x0000000000B50000-0x0000000000B51000-memory.dmp

          Filesize

          4KB