cf9ad4a41c8958ef4c82b4447c76a444f2c6d71eb73dc59e73be05d889e0a713

Analysis

max time kernel
59s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeMod-9.7.0.exe
Size

118.3MB
MD5

6435e124fd689303deb2147ed6b5fc8f
SHA1

ec62cc78ab662203c4808dec7e7978a5b5d37323
SHA256

cf9ad4a41c8958ef4c82b4447c76a444f2c6d71eb73dc59e73be05d889e0a713
SHA512

33c0644733a2594dcfc8c59d41132a819e64588021aaf0bd70887afa3dee103e4622cc39da9b1f31b54f14206b37695207efb16063ecfac4598bc981452bf2c1
SSDEEP

3145728:j8oAgD2JQ5H3ry8W/3irQ9QMacIKhDPFMTSp6HpCqQ6KjY2I:jF9J5zFMDNtP2g6HpCH6oA

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WeMod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WeMod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 13 IoCs

pid	Process
5044	Update.exe
4808	Squirrel.exe
1892	WeMod.exe
3592	Update.exe
2504	WeMod.exe
932	WeMod.exe
2932	WeMod.exe
4440	WeMod.exe
5008	WeMod.exe
1752	WeMod.exe
5460	Update.exe
5552	WeModAuxiliaryService.exe
5772	Update.exe

Loads dropped DLL 11 IoCs

pid	Process
1892	WeMod.exe
2504	WeMod.exe
932	WeMod.exe
2932	WeMod.exe
4440	WeMod.exe
5008	WeMod.exe
1752	WeMod.exe
4440	WeMod.exe
4440	WeMod.exe
4440	WeMod.exe
4440	WeMod.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeMod-9.7.0.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	WeMod.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeMod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WeMod.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\shell\open	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-9.7.0\\WeMod.exe\" \"%1\""	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\URL Protocol	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\ = "URL:wemod"	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\shell\open\command	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wemod\shell	WeMod.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3028	msedge.exe
3028	msedge.exe
1580	identity_helper.exe
1580	identity_helper.exe
5044	Update.exe
5044	Update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	Update.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeDebugPrivilege	5460	Update.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeDebugPrivilege	5772	Update.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: 33	5740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5740	AUDIODG.EXE
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe
Token: SeCreatePagefilePrivilege	2932	WeMod.exe
Token: SeShutdownPrivilege	2932	WeMod.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
5044	Update.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3120	3028	msedge.exe	87
PID 3028 wrote to memory of 3120	3028	msedge.exe	87
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 4896	3028	msedge.exe	88
PID 3028 wrote to memory of 3012	3028	msedge.exe	89
PID 3028 wrote to memory of 3012	3028	msedge.exe	89
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90
PID 3028 wrote to memory of 5012	3028	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\WeMod-9.7.0.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-9.7.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1492
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5044
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --squirrel-install 9.7.0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1892
  - - C:\Users\Admin\AppData\Local\WeMod\Update.exe
      C:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe
      4⤵
      Executes dropped EXE
      PID:3592
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2504
  - - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
      "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --type=relauncher --no-sandbox --- "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:932
    - - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
        
        "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
      - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
        
        "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,16710155344496010938,6964202667048762286,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1808 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4440
      - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
        
        "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --field-trial-handle=2216,i,16710155344496010938,6964202667048762286,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5008
      - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
        
        "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2416,i,16710155344496010938,6964202667048762286,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
        
        C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1722626864466_Out
        7⤵
        Executes dropped EXE
        
        PID:5552
      - C:\Users\Admin\AppData\Local\WeMod\Update.exe
        
        C:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable?osVersion=10.0.19041
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5460
      - C:\Users\Admin\AppData\Local\WeMod\Update.exe
        
        C:\Users\Admin\AppData\Local\WeMod\Update.exe --update https://api.wemod.com/client/channels/stable?osVersion=10.0.19041
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff429e46f8,0x7fff429e4708,0x7fff429e4718
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,5924643788286278011,6735399906174807150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:5548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x3e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Filesize
1KB

MD5
fcc4a55e80568c4693f6d2eff7ef757e

SHA1
d24958d197482557722f616507d8b14dbeadebd8

SHA256
1f5a1b10b49c35bff02f63ebaf8cd3faf74b51bd131d3dcfb952590c8bcd5eea

SHA512
67de4502abff297c90eb2cfbb3d03bfbef3400d6ee19b3cbb47b3ed9bad4b795946406a6975564321edff618d1a589076b57609c2ca38efc5650899a8483a271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3523712e-db3e-411e-bf37-d9fb2bab7530.tmp

Filesize
11KB

MD5
70ae572eab17f738e316740d0bebe2ef

SHA1
eefc77f8c31fa0980b225b8d2536e35b72b871d6

SHA256
4656305dad9ec7816617d2723f72e217f7f2ed722bdf44d46558a3b7765f2e05

SHA512
5c7d1ea20fa879d532277054cc9cc2adda91e27823c166f2909fddda34a6614bcb0b567bdb2fd882c540cb9df48af586f909693825f2b6649b3e53b8091788c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7984d9710381ce58fb50c894affe8d6f

SHA1
f9a78232a246e6a502898a51aa7772911f45cb11

SHA256
d5c9beff822620735c2818380bf69f75f899645cbe7f241eefa7e2a7dc9ef453

SHA512
951434ce86340ca0339ae1122894672f3291b59f49199cbebc15349265fd960ae412249419a726f93be5855632cf28c7e1c33d4a945bcf4a20e96f2bfb3ec9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
280b1ab6898cfa9aafd9bd6beee9befa

SHA1
0205f13cf20ea423b54eb110302b3040e3aba1dd

SHA256
cb22c1c398b4b7f65c9f5a4daa336eb3a4f472a2c89de5d347c7e3131d2fe8c6

SHA512
e0d25ed9ed10a3d67d7c2043ecb37151b3e63b4ac81623749fc3d3a490fc8da04d30303d753a9f4754974a92b85af16480ceba845c5e487e3cffe22a9804ec76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eaf6e757ffa4e6656028dea8dd4599db

SHA1
d2597d17a0020e03cca58c9c430cd502d6d8140e

SHA256
9974751110343deeda51ff2ade0634250be2e01c8c95f5a3baa5ae3afb12c2c6

SHA512
4f1025b487ca15d0ac1f062f6607938ad19c03cb97899ef021ccf89a220973861596b5e067e7dfeb443f4cf6248fe2542cbd80c9cb3b7e857381453bf04651dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd3380efa75a6d3811d417cdaa523fbe

SHA1
6b26fd4d83877654d719c2a9b9c765d376ecf32d

SHA256
47440c72b8ad847c1adb159b8dde3e80440abb557e14b32655b71730746ae657

SHA512
9206a39c39085d02de7bbc235fadb3bfab25829df3fbc3d183f4f7f5111860a473ebfc707e37319795cbcb24288c2dcf04a7b53ebdf647843d7bcd9ce6411f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d3bc6e264b6e0b012e906ccffff552e8

SHA1
b88d4e9ae2be68f60a01b41f853ac05bd3b50a75

SHA256
79a8fb09b48554926a16d42c249944512a7af7859becc34ed054907d9c2d446e

SHA512
0ed96733a3d02961f2a0bc18b8403361e066f6282250743430502ea760e46e8a6514e7cf2cb7f4c20543a6646acbe709d82c601eae63ecedc067c416fa346462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4f44e5eaee42210428c472f4ce6baea

SHA1
a12ed7a6f2f0085cadbff96409a486be64d94041

SHA256
fa894ef5b0bf3078db5446013f43995f9f7d5d45db491b3cfc2bf14bf9670252

SHA512
1199ea0a2d1057a0ec32e96d2c0a744dd692454d25022fdbcc4e0833f7adb3939a837f5a41fdc905fcb51f2fd945927240b9ea2002a67105c775c4488b2ee1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
331eeb27900bb6a94caded2795709a70

SHA1
15796fa3f7db732a3c86f81e923788bf6b90649f

SHA256
81377f61b3ce42960aeaa7b62961c1b56c1b851bf30b5035ac1d0a92f92906ef

SHA512
9ad22686477b404d014d5268a8a8ae9daf38b72f0d0f9dd21ed34b958a8079f41ea04f7dc02d3773951cd7a4479919680bdd4cd98e0d3f2a6b2a6e8186f35cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4f4489836946689e3abf2a43b712bb16

SHA1
4b550e2aec5adf5a28adc20fc6a8fdc6557b01c3

SHA256
1abd80567e390b04c4b55ec7ae8c251cc1168120f211682fc1b295eb2e85c001

SHA512
d6fd4ca7e21e0e1c23a55d74ebed18e16be927cf1744f2f892f1a3d0432c1a2241e112883913d4b56fefaadae822720d79fd3095a7a4054fdf573fc8d3f235eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e91d950f9a68844e6badb88c955e1a8f

SHA1
dce5fa7f2941ea27a96ba2d8c7072f2bdebb5063

SHA256
f81aff4b09b6baf976a96241ab976b19f6eef5d7566ee584277de2d31499938d

SHA512
1e67faf3911370c415c8a7a0519eeb5e7232d13701cb7977e4fd83afe3a2d8b3b1e6dfc8428674ba8f3e1781610929dda113734770d77b2682a6f47d94ef43df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58624f.TMP

Filesize
48B

MD5
85ea82743c0844124010f0c970f64450

SHA1
f0a0c006cc1632c55965fcf64d393dd5758c22ff

SHA256
e7e65a27fd8ebacad500540a347ccfa900dac83eebf467f67a2648c14d327b36

SHA512
08e8d3fb8d7b0a4cf62a25a30ab0312366d36d7f324a880fa45f97f74b6673b0db951458660f2986fd1e0556ce1e95fbfec106c3f07b74ccdbe958b185ad77a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74ab6bfd8e5f5af480d84d10d75e448a

SHA1
c5bff7ead1b2dc7c3e43295e82719b697a1e66ef

SHA256
d786078186a2bbb001b965fe217a9af1f1b7a16e6cfef4138f8dde4b1f4bb050

SHA512
196b8e33587a6490dc0770c7137d1c891b7b38becb9094083b7d264a3db372a5163c21362aedc1820e2b4984bdb85da34d05933e8bb9577a0cffe4c177af2cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
65ede435d14d6152f920337b2957ad05

SHA1
25c9ae78d3ce757dab3c17b106cf2c80b7177bdf

SHA256
06724437376ac78190fe9b8fe9de306b7dd02675d10f0b0800d4b9d64e7da596

SHA512
5f51a78a519479471a3d48b53c9aab163b8fb0c890d5643c164ae5878bac894bbd439db5cada629a32c04c68c753aa582429760b9b5f47135430f391bcd753d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b6460742ef4c161b11c7ddfda155371

SHA1
d59ca472d572d8d19e0aed86f90e86eb39012ceb

SHA256
33ff8995cf2b2e9f8377af1c3848e64de0f67939af30c78abe24fed849705d01

SHA512
f0f07ddec319da0bfb85cc354399a82b67ad217b154ffcd11abd9fc3da3b68ada8a0372fdbe2693c54d0083437f4ceadf0cda5d3de2b0682523307b403b7c64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c08.TMP

Filesize
871B

MD5
8035574acf1d4439a8da74af2039d451

SHA1
ca8df23507d5bb81469956602f6a320c1859a8a6

SHA256
5e5109ec8e5637652525db904bfe32704022b11453252dfd75222ba0a467546d

SHA512
37179bacec9b6933a9fc105a46b2991c292c23508e0f3c93b762546d1ea8937242fe6633c46545a6d8bfa6eaa5f31373aa402a027357eae0b2442e0019f71949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b49a2c726b20e09c8c4032c3229cb937

SHA1
4934e49ce1c2bf1f7e0ef3bdf9081ab0f1c8eace

SHA256
8b2b53e57cf68ee09c9e38aad9fff12ed542b3388a99a79e4088db5202c2c7fa

SHA512
89011bef552413fcd3596b4e768766df25876f1b53f497b38a178e64205ffbaa74687cdfcff63fce4570491352c3376acc792548844749a380b8c27879681258

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
6064234dc967f51b0389d434aad3a879

SHA1
f9bee77196a36be1560925b4ceb05a613243f7a7

SHA256
9203a73e16d55099e88ed50c8d948bd9f8412bf3e4ac3b9bdc96719bd627d3a0

SHA512
8f221c23abfe6cf68e80401947208d7d07e5651a5443d16decbf5773f28f89006210c4b1bac5a26b41b160630fd6cc16a909100ea39f7aafc631e8bc450e8347

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
cf6fbcbc1ff6007ef79fbd5a627d79cf

SHA1
57ee99cad3f0bd5632a709078dcb0afdf91efbee

SHA256
85b55f7da5a008707e197cf9fbcdd7ac53b286cbb2c54a3ecb9c360e033d07c8

SHA512
956a0b6110471bebb948f5ad22562a0e76a80ca6cdce22073e5bbcb4723bb1c4f3e37c800e252ba71172c467bdfdbb50150827a7dfb8e829c39063469dd0db39

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
21KB

MD5
1d0394cf33c9bdf438c3b05fe4b8c617

SHA1
8b04090dc8ae8982247575680988a6fc037f61fc

SHA256
4762c5c406920b9b28f567859d3eef8623b6484166e43b33c7a04cd0f0684dfe

SHA512
7c3e92906159a6cb5ed1dde26d5ead5e4bb6f24219bf070c45c787851f17ed329e8074a634dd964026b691c8b0f568c66aa736ad0e04df0fa32306f565bcb95b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
24KB

MD5
e2fc5f7c4e479982f270a6d9daeaa7b9

SHA1
e6b2f2c381d64b588d80fc2d7754515972ca48ec

SHA256
9be0f7268db367235d785653b7da1cec8374bee92c42732299f7193f430edb1c

SHA512
42d657ac14903eccaa037e1b8e554b2f3a2ca1066dc23ca7f32f3fcc0da8714ad1c0f2cd295b1f65a9a9f4f7bda2bab2d1991cf07bf72c5b829668d2b92cfd5e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\tempa\[Content_Types].xml

Filesize
1KB

MD5
032ca7f377bd6b9ff101af947d6bcd4d

SHA1
6980c3796ebacd5856cd978b59810c3d72fc189f

SHA256
277823fdb808f43379494584bb072daacaf0a09d18e65469b7d91265602974a0

SHA512
5d1e03fe9b5af5782c85e3376807b67cc1a30aaa07debb7009687d0dfc399c96368ed87fabf5e92ffbbdd2e051eadd94fb9ad38d77fdb18dd195cb76b247a2db

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\tempa\_rels\.rels

Filesize
490B

MD5
2c77a16a85f36963875e495a559865cc

SHA1
b80e3e7c77385bcb17aa64077767f0528f548cb5

SHA256
975c492df5948b0779ace72078115b48a85cb9517724871257306503bf8e6f66

SHA512
77c92c9e8d810a4eb1c1e4b278815ebeaf3f04b8cd65f54398a554e72b36040565cd74d50afb692c7938665e6c065ddfc743a9de2a94106002e8cb7eb403a8a4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\tempa\lib\net45\resources\app.asar.bsdiff

Filesize
6KB

MD5
3f560a469d35812b0a7c490f71a35cfe

SHA1
52efcc08978628f1c27830b4fd649326d856a3b5

SHA256
666a11de967f1a3ab22089e94675916b2a9439aee1c1c5b66a5740f2262d5428

SHA512
cc0ee21a29f871b2feb2598d7337f03b4f53d3b26ad6c4504e44f27b165efc951ec0987df0d7b57c75f6f2ff8e6cf135d06fcf760f175614f0efd589a6668f85

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\tempa\package\services\metadata\core-properties\e4cb8c84129145c88cd19a34ab4b3125.psmdcp

Filesize
636B

MD5
2cd106a9d240c1588f61cf8c70b5de25

SHA1
95e9be631dcb2ff2c122d2c6a8379a4e59469417

SHA256
c438a541a308ab7d3db4cf6dab25f1006690c01fe59eb3a2595d0f68714c9f8e

SHA512
a03ad1dff4d80abe75ea134f77d60ff14d4a76869f3683367ee2aabc3d5ff209a41626a304acdd68c2df9eef86362cb75cf73bf1feb1f368197318096a37d02e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\tempb\WeMod.nuspec

Filesize
522B

MD5
ebef276cb985f2769ff7ba6399e7072e

SHA1
a7aa274c5eb5b8fae9a612376fa2950845ee7bf3

SHA256
d0c4693ff420d21d23b795038539661902f2b9005f410a4532365df9466b484a

SHA512
dfea7b648f8c21a534e2c841049d185b23cc7312eb4cd380c5a1f01481f892aee6fd1009645ea48db8b4680726b4b09e3eb5ee68ff5638f04ea4b27a0520d80e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\WeMod.exe

Filesize
539KB

MD5
c01c8cc6876a10ea78fdc848f9c4b703

SHA1
777435dded4be6acd36eb019e9f71938fc57a7b9

SHA256
571e82d292ba6c7b84e37eb9f3538dbf922a9def9732b652800bc60f4dcf52af

SHA512
b97c55e861b666bf2fd71df39ad2aef5ba7a681d97afe1bb8954d49429515630d166d66c1d5c172a94d160ec5ce275176781b0291ca2c1f12a83a1656a3b65f3

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\chrome_100_percent.pak

Filesize
146KB

MD5
6c2827fe702f454c8452a72ea0faf53c

SHA1
881f297efcbabfa52dd4cfe5bd2433a5568cc564

SHA256
2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663

SHA512
5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\chrome_200_percent.pak

Filesize
220KB

MD5
77088f98a0f7ea522795baec5c930d03

SHA1
9b272f152e19c478fcbd7eacf7356c3d601350ed

SHA256
83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d

SHA512
5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\ffmpeg.dll

Filesize
2.6MB

MD5
df9869ca79164a004fd908435c0e845a

SHA1
4b135a79d2ef60a408cd5a282958f74ef6f34f4d

SHA256
09392852cadfbb7990623d3b63151525c0ac130a72dc7fa46642ed5ecb8b4ed2

SHA512
fd3112c3f81c8e9961f5302ac8d30561664291010fd89addaa41878d055835d747f7774063285f147a15d2d3ed221d3cef5c379c6b5a2b499ec0aaffae6140ff

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\libEGL.dll

Filesize
479KB

MD5
7d4f44b94b3d33f7607f41aeb0b248bc

SHA1
95e1d45e7f8fc8141fc8ec184b36883305cbf20b

SHA256
65d755057c4ab46e2983e7ec4a395f4a94bf41b169debb4596674ac022d06395

SHA512
1b4e54fa2dcdefa73af373db555e6b02c389fa03a280ccc2127940c5c87e73ba56a4a285f287fc642134a702369cf933466946408f14a06eb411e2dd0c4ca670

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\libGLESv2.dll

Filesize
7.6MB

MD5
7ecf576d8ebadea401b99465d33e393a

SHA1
815d6e0c50bbd025d616d40ecfa1a2316b35bffe

SHA256
df5b19b88bc692a07f227ae6439bdedff74d6d75a4355a5cf401a3201eb3a45f

SHA512
5e1b0580039d9575eda3b799435a646fbd1692259812497937d206b9a228d36469c4bc8699a7030d9ff2f8610fcb4ff1d4f76ccc874caee8997fb8163684fb69

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\locales\en-US.pak

Filesize
443KB

MD5
88bbc725e7eedf18ef1e54e98f86f696

SHA1
831d6402443fc366758f478e55647a9baa0aa42f

SHA256
95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795

SHA512
92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources.pak

Filesize
5.1MB

MD5
a1373fd7976b2505d5a7bcc5c5612095

SHA1
aada11c623580a07d4ee6a51ae8a36088f521274

SHA256
ed14046f28a70e190b336824de2d907fb6c2b411ee9d68906eba747440eb4b05

SHA512
f7acd3fcd80bd87fdd0ca16ee8fc12b5dd4ef5cc2c868f01bf8b026f1a60d0f39610c5666de8431d24269fea1b0aca11af8e7b6ec75a125fa1d088a6fd071d4d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar

Filesize
8.5MB

MD5
cee43920b78ae2876377b304088cfd2c

SHA1
99556655edfc6c864478817d4b799a8df28c5031

SHA256
b93f052a24e4e2936263d5cb87cd9d15f8591fedcaa1cde8a1b89b86f4e0b310

SHA512
5b17a9f4cdb023d3879b52b4561edea1669d410d4203847985cc8347e207bd13e97e8ede9eb9623f86875c5a3bc9fca27d9aaa8d822afc7e36af0ae12af868a3

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

Filesize
957KB

MD5
84451c77b1e233ae6f2433f771a391ad

SHA1
dc49de90def639cf0d4e727e1037ed8fb233f036

SHA256
5a6f4fb8a1defca3a194dd3bcc150359e103ba5c9271d9d94e4467a214391fea

SHA512
85fa8490948bab743787f17ea0b4a57f07df74fcfe981ab5d0cf978c645a67c869d0285a0f8573a4e9df7d10d7969b8c3268fa119e471ecbae67531e11d51082

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\resources\app.asar.unpacked\static\unpacked\icon.ico

Filesize
279KB

MD5
34ee19ccd44f31cd831dc50920f19890

SHA1
24545d2f4741fb5a4649840486ffd3597b7ade5b

SHA256
136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

SHA512
ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\squirrel.exe

Filesize
1.8MB

MD5
0a0885335047729ac72be42e0772a836

SHA1
946d9d40d2d60238c225b9c1a28af25faf27410e

SHA256
4be10958f8c53ebcf94622cdac1200ca97947aa365e346c8611818145a3f6c91

SHA512
fec4b79894241e438ba4e12f099398a67f6e2714d0331dbb44d55b6b4af267c1da36c9571b650b3ddafc9b3e2fddefe140bc1394da29af5ea7f69d7887f3d77c

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\v8_context_snapshot.bin

Filesize
641KB

MD5
228cb75c5b14fb790ec913a34c12b4d6

SHA1
aa6dbfb6cd403be3110f85c2a3ae72ab575645fb

SHA256
bb9c5a66316280c3d90ad63e20e34a7311972632bfd927f9d192407c13714444

SHA512
ab6b94de633b71a99b58f3924b0b8a351e0899ccff0fdab35e06938ad22ed62548a331b0b296a886f67941a642fd32d00ec2297b0d687139c0e57d2919739c19

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\vk_swiftshader.dll

Filesize
5.1MB

MD5
acc7dc761a806658d7c1fbbfc2340307

SHA1
e67f9dcc7f0f6e63285b930f72ab457684c23542

SHA256
98c3bc0529f9bf175bc795b3184832aad176546550f9ff9a88eeda116ec4db88

SHA512
9fb8fd21a32065f537303d24e0a5d3d071f1b1d4f7383c206a8c8db6c1936ad72d0ddf1f792ec2156ee527541af27a9b94c28db172eae30bc435bba8620b9435

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\.betaId

Filesize
39B

MD5
ad441571bf7d3f9c5cb91b023329d31c

SHA1
7970de34f155bdc5553b0b21c6276f974db17345

SHA256
cf6eee6f48c01f159d7b598061743bc6582e3427b5678754f82a6a1b2fec3ded

SHA512
4a10e822548cc1d71ecd79d965f9aa94ddf2adcc7cc269ffd2f8505a8511e4e0be40149a93fb6c360689a96985a3e3158a55c52cd593e0478338dc18b5622747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Partitions\ads\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
memory/3592-180-0x0000000002BC0000-0x0000000002BE0000-memory.dmp

Filesize
128KB

Download
memory/4808-159-0x0000000000730000-0x000000000090C000-memory.dmp

Filesize
1.9MB

Download
memory/5044-166-0x000000002ACD0000-0x000000002ACDE000-memory.dmp

Filesize
56KB

Download
memory/5044-165-0x000000002AD00000-0x000000002AD38000-memory.dmp

Filesize
224KB

Download
memory/5044-32-0x0000000000A60000-0x0000000000C36000-memory.dmp

Filesize
1.8MB

Download
memory/5460-383-0x000000001BF10000-0x000000001C438000-memory.dmp

Filesize
5.2MB

Download
memory/5552-384-0x00000209094B0000-0x00000209095A2000-memory.dmp

Filesize
968KB

Download
memory/5552-387-0x000002090B2A0000-0x000002090B2C2000-memory.dmp

Filesize
136KB

Download