6bc05cc2280e8697366056a295a5a5dcd77d115f6c493d90c4c3ec19374e5175

Analysis

max time kernel
31s
max time network
30s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeMod-Setup.exe
Size

141KB
MD5

f83e128a8f3be008da01b169301fb556
SHA1

b262677e294a05faa1670f014df17746e21d6dc5
SHA256

6bc05cc2280e8697366056a295a5a5dcd77d115f6c493d90c4c3ec19374e5175
SHA512

162b9cfac76aec9ab3a3f02d19127f16f6a1d88afb43028ad7b1325ab9daf328a0a701c12051875dcd52d31053200a756990f99e4b8c300ca92c3a6d0ba72c19
SSDEEP

3072:XGjm4ILlCI+4COHCyhaEtHZugr7t4ILlCI+4TOHHSTs:Xr+bwaEtHBHto

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\Geo\Nation	WeMod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\Geo\Nation	WeMod.exe

Executes dropped EXE 13 IoCs

pid	Process
2524	WeMod-Setup-638560903309410000.exe
2160	Update.exe
2332	Squirrel.exe
1696	WeMod.exe
2756	Update.exe
3000	Update.exe
1148	WeMod.exe
856	WeMod.exe
2176	WeMod.exe
1172	WeMod.exe
2560	WeMod.exe
1600	Update.exe
2316	WeModAuxiliaryService.exe

Loads dropped DLL 20 IoCs

pid	Process
2524	WeMod-Setup-638560903309410000.exe
1696	WeMod.exe
1696	WeMod.exe
1148	WeMod.exe
856	WeMod.exe
2176	WeMod.exe
1172	WeMod.exe
856	WeMod.exe
856	WeMod.exe
856	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
2560	WeMod.exe
1172	WeMod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeMod.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	WeMod-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com	WeMod-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1"	WeMod-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com	WeMod-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "34"	WeMod-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage	WeMod-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	WeMod-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34"	WeMod-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "34"	WeMod-Setup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\ = "URL:wemod"	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\shell\open\command	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\shell	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\shell\open	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.20.0\\WeMod.exe\" \"%1\""	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\wemod\URL Protocol	WeMod.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WeMod-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WeMod-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeMod-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeMod-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeMod-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WeMod-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WeMod-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WeMod-Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	Update.exe
2160	Update.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	WeMod-Setup.exe
Token: SeDebugPrivilege	2160	Update.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeDebugPrivilege	1600	Update.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe
Token: SeShutdownPrivilege	1148	WeMod.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	WeMod-Setup.exe
2040	WeMod-Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2040 wrote to memory of 2524	2040	WeMod-Setup.exe	32
PID 2524 wrote to memory of 2160	2524	WeMod-Setup-638560903309410000.exe	33
PID 2524 wrote to memory of 2160	2524	WeMod-Setup-638560903309410000.exe	33
PID 2524 wrote to memory of 2160	2524	WeMod-Setup-638560903309410000.exe	33
PID 2524 wrote to memory of 2160	2524	WeMod-Setup-638560903309410000.exe	33
PID 2160 wrote to memory of 2332	2160	Update.exe	34
PID 2160 wrote to memory of 2332	2160	Update.exe	34
PID 2160 wrote to memory of 2332	2160	Update.exe	34
PID 2160 wrote to memory of 1696	2160	Update.exe	35
PID 2160 wrote to memory of 1696	2160	Update.exe	35
PID 2160 wrote to memory of 1696	2160	Update.exe	35
PID 2160 wrote to memory of 1696	2160	Update.exe	35
PID 1696 wrote to memory of 2756	1696	WeMod.exe	36
PID 1696 wrote to memory of 2756	1696	WeMod.exe	36
PID 1696 wrote to memory of 2756	1696	WeMod.exe	36
PID 1696 wrote to memory of 2756	1696	WeMod.exe	36
PID 2040 wrote to memory of 3000	2040	WeMod-Setup.exe	38
PID 2040 wrote to memory of 3000	2040	WeMod-Setup.exe	38
PID 2040 wrote to memory of 3000	2040	WeMod-Setup.exe	38
PID 3000 wrote to memory of 1148	3000	Update.exe	39
PID 3000 wrote to memory of 1148	3000	Update.exe	39
PID 3000 wrote to memory of 1148	3000	Update.exe	39
PID 3000 wrote to memory of 1148	3000	Update.exe	39
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40
PID 1148 wrote to memory of 856	1148	WeMod.exe	40

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638560903309410000.exe
  "C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638560903309410000.exe" --silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\Squirrel.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" --squirrel-install 8.20.0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
        
        C:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe
        5⤵
        Executes dropped EXE
        
        PID:2756
- C:\Users\Admin\AppData\Local\WeMod\Update.exe
  "C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://?_inst=AS2HgRR03W5QkNdw"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" wemod://?_inst=AS2HgRR03W5QkNdw
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1088,i,3065608327420007217,3220820812162503441,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:856
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1308 --field-trial-handle=1088,i,3065608327420007217,3220820812162503441,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2176
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1524 --field-trial-handle=1088,i,3065608327420007217,3220820812162503441,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1172
    - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
        
        C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1720493547916_Out
        5⤵
        Executes dropped EXE
        
        PID:2316
  - - C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=944 --field-trial-handle=1088,i,3065608327420007217,3220820812162503441,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2560
  - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
      C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable?osVersion=6.1.7601
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
91512356b5377f51081923a1f5e1b3d1

SHA1
7bfc176321d5e78da0bf5e9a13bbaf95a14d5ad0

SHA256
b1b5c747f4eb1cbad91c5bece62aa91c463b8b67c4eca843aa0eac4910db8633

SHA512
134f77596962f1f22c3f7592b24bef90d8e4193c5c8d0d0ed0ed6a89031139a1d09a124cba5e84fed2b3f22589c77f5045c94ac1b662376fa3d5810d958a3cc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
528fa1e5322177b7226cf388c2b7f709

SHA1
c3344a6e627302dbb2616e74cff9515e5a9ce880

SHA256
ce92c254c8f82abbc0b59667f96353ef97b964a1105e864674194fb2ace2ba03

SHA512
4648f5e970627257fe9bfc8cd937b981615f4bbd6afa56b10f66309211a70fa476f402d6207662d6bdba28192fcd904e6b914ad6f0f1dab73a38ca8be8efc365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
92eb055f44541e1b2bc0c346f21897c2

SHA1
42bfd63194e7f7c52a5a7b3793cf774705dc4f8a

SHA256
75b1bb22329b364f64b567874a5155c182f3e56401b8219606ced78764ee6a3d

SHA512
c51aedb080e76b71c5441ddff6fe62a2b94fab86095dec54af0e2cb9194de094a120189aac6805c0e6046a5ab773174dc967715e9b6abdd148799de048298595

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
77B

MD5
1baa76709c19137a12ed07e0fa2d41f1

SHA1
4670401d635483176a7779b074e6670777cdf5a8

SHA256
34a73439ec868f153b6fbad88a36a56ec192eb63a10ef7ff83da2f264086a586

SHA512
49d7f680bd4b44de72dd51ec4edf60923b73986ef669230ed6f12f4a3cf6eb1f1f46c9371dadb8e3cb85aa9e4404478e44a1788d1edfd2c21fc8f986acef1570

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB618.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB63A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\WeMod\WeMod.exe

Filesize
536KB

MD5
80f9d322f988aadb70d1dfd86edec7e2

SHA1
ed986e150a8c367f5b34b4b0d44479889d93d980

SHA256
bff188aa9e514a6d5045c7c3acc57d3581d1189402451a2483343c5e1b86fffb

SHA512
1972a3354bfe0502cb5aed7a9b3cbc1089abc41789d623052dc47fc5eac625cdd193cc0fb87ed07930902bf788882ffb86ce53596cd5480e9112ea19f6f35268

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\ffmpeg.dll

Filesize
2.4MB

MD5
9e328c8963091429984d069be909365b

SHA1
0611c00b175b9d48a4a87fd8acd7db9254aac369

SHA256
a27d5af923f26bdbee48b1982fcc1b70e60fe9841b15a7a6501c3d204285e740

SHA512
37fa0783694d2642c11c7a82fe0093852b8c450d7e583fb11582d6a88efe274361523d92f66f164b1e8ee40c8c31028271ec7526c5a20df78ae38bdc5433cac1

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources.pak

Filesize
5.1MB

MD5
f5ab76d2b17459b5288b6269b0925890

SHA1
75be4046f33919340014a88815f415beb454a641

SHA256
4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c

SHA512
6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar

Filesize
7.4MB

MD5
650aeda8842df2387ea179931998ab42

SHA1
8213eaaa238a8fb3013980dd8d7ca7e07244d71a

SHA256
328b37f0159ba5c726aa947000fd97885c22c7a37c2e5508cc51002680f58a05

SHA512
6bfbfb6d5cb567e3f4e79c7d1cc0c84c5268445eb1d99cc47f86c0767c1f170fa282ab3f08d2a6f129b4e0b9c4ef51081b6de19876825b9fef98dd4eb532aa91

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

Filesize
945KB

MD5
74bdec2a1b6ee5cc7276f47d13edc48a

SHA1
71a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e

SHA256
7fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19

SHA512
a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\resources\app.asar.unpacked\static\unpacked\icon.ico

Filesize
279KB

MD5
34ee19ccd44f31cd831dc50920f19890

SHA1
24545d2f4741fb5a4649840486ffd3597b7ade5b

SHA256
136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

SHA512
ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\squirrel.exe

Filesize
1.8MB

MD5
e708e2c33c242d0b2f720ea4ee7ac981

SHA1
9913f6dce34e94c92c662583d2ef727b6e8c73fe

SHA256
537582d59099b077e60193ea33ffbbc757962c418d4ebefc5968a09cb8dab582

SHA512
73db2e3002f29186b800ea90906685e5aaa3ad9005abd437c45a68098758a65676cca3e56415d1cd457a0bb298a85169222168296a7b4533d9d73218b70b140b

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\v8_context_snapshot.bin

Filesize
585KB

MD5
b32cbc4a5ff34f441e8e0c264aa61849

SHA1
435d88a3e50ff85b6030c4c6e8918161fa340201

SHA256
4f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5

SHA512
7c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\vk_swiftshader.dll

Filesize
4.3MB

MD5
7adcf57737f77862c73e82632bd02cd3

SHA1
3f601867913a111f2b461290aa57894ca53d785f

SHA256
b3fb359e1067424bb897588ba46b13e4829a71837f486c3d9b39b8d0221d469c

SHA512
f194c840d6f9b942e1c05177e7590f5b169dec78c5af9e031060536af0633c4731bfa8ca98c50c3613592643dac2b77eb27c5a73b044efc5e634f974e2a3c89f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.20.0\vulkan-1.dll

Filesize
784KB

MD5
89e829e7b417f7bc881b461df92c7251

SHA1
5e31b9690348250f907a3bfabcda87ddd34e6d7f

SHA256
357b2641e5dbb9bcbc15f20a45e4e75c5d84c8b044310d7ffb2db85915e94af7

SHA512
911cc57f8195530c5ab7757a127982061fdbf34f2b19ab10c053745015df0a0e95eecdea7da3d8cf4c3964c499243293b274d3a8097ac32ad2f51c7b5b6467e6

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RFf76ff17.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Cache\Cache_Data\f_000001

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
7c6f238cb5a4494b720bf95e965b1306

SHA1
4d4c8e757a59a8ca910838b8b3205905929abbaa

SHA256
46ed9bbe676a92550914c4de76ab0bb97ffbac54b75bba3539b160eb51b6c048

SHA512
dcd130acd048f6caf5a0fa1c05f987f5942a442e81965380852da92dd384177e2ed17f3bd1896f474978fb45119e4411811ced35e94d754e6247b9c58f2a4787

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.20.0\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.20.0\libEGL.dll

Filesize
384KB

MD5
899fa9e604fb0096c9625c60e8a506b9

SHA1
0f3ece04440a8b7c7932889974b722365ffa8088

SHA256
7fe31c0260201f48ac5ff7438b8d3fb05208df6763301b140c53068989556aae

SHA512
f171346b16ef40ef4675141011d452fbad0786d69c049ba7c5fa680990d54e61135774c374d3847f553dc06060cbd95c6e3bcf38535e8864b42050d570ab91be

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.20.0\libGLESv2.dll

Filesize
6.4MB

MD5
1c0c0d5380730d6bea3493ae2252ffae

SHA1
2679121c696c79c8b9a94c30380ad218aac76315

SHA256
b6d2326861d4089d65ab1aa1502ab6b4b436e09706943e40d28cfefbd3546472

SHA512
c42e954b297e408c77c6b5f4a06db06b93f42e01dcc64b44437ef06eca74e4160b8ee47da5d8b9614008c615d315c90902ebb81990f3aec2f28efc29b5916949

Download Submit
memory/856-335-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/1600-521-0x0000000000DA0000-0x0000000000F7C000-memory.dmp

Filesize
1.9MB

Download
memory/2040-152-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-3-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-1-0x0000000000AD0000-0x0000000000AF6000-memory.dmp

Filesize
152KB

Download
memory/2040-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-285-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-326-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-4-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/2040-151-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/2040-88-0x000007FFFFEB0000-0x000007FFFFEC0000-memory.dmp

Filesize
64KB

Download
memory/2040-78-0x0000000022EB0000-0x0000000023656000-memory.dmp

Filesize
7.6MB

Download
memory/2040-5-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-166-0x0000000000B10000-0x0000000000CE6000-memory.dmp

Filesize
1.8MB

Download
memory/2316-526-0x0000000001370000-0x0000000001460000-memory.dmp

Filesize
960KB

Download
memory/2332-273-0x0000000000FC0000-0x000000000119C000-memory.dmp

Filesize
1.9MB

Download
memory/2756-290-0x00000000002A0000-0x0000000000476000-memory.dmp

Filesize
1.8MB

Download
memory/3000-314-0x0000000000B80000-0x0000000000D5C000-memory.dmp

Filesize
1.9MB

Download