Malware analysis WeMod-Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	WeMod-Setup.exe
Full analysis:	https://app.any.run/tasks/3c49c843-4d01-49a1-9a61-ea86f035a3a9
Verdict:	Malicious activity
Analysis date:	January 03, 2025, 05:34:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	65CF26AE6C77EC08315F767C146AC6D2
SHA1:	93E7CC33B62BFBFF50584B1C300E95D7DD2740BB
SHA256:	67FC030A68F6929D5E614787B9ECA01A7C8BBB6184204CCB76A5C647C1C2506D
SSDEEP:	1536:Q668Dtf9nk7RBog5KG6JkOiVPL+09ME5LBtJD64uQgCYO6+YFyHA7OqCkNRBog5m:w8DvE57miVj+J6pHdHg7OA57N/u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WeMod-Setup.exe (PID: 6284)
  - WeModAuxiliaryService.exe (PID: 4984)
- Reads Microsoft Outlook installation path
  - WeMod-Setup.exe (PID: 6284)
- Checks Windows Trust Settings
  - WeMod-Setup.exe (PID: 6284)
  - WeModAuxiliaryService.exe (PID: 4984)
- Reads Internet Explorer settings
  - WeMod-Setup.exe (PID: 6284)
- Executable content was dropped or overwritten
  - Update.exe (PID: 2324)
  - WeMod-Setup-638714792643364968.exe (PID: 5556)
- Process drops legitimate windows executable
  - Update.exe (PID: 2324)
- Reads the date of Windows installation
  - Update.exe (PID: 2324)
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 1744)
- Searches for installed software
  - Update.exe (PID: 2324)
- Creates a software uninstall entry
  - Update.exe (PID: 2324)
- Application launched itself
  - WeMod.exe (PID: 3172)
INFO
- Reads the computer name
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 2324)
  - Update.exe (PID: 5080)
  - squirrel.exe (PID: 5588)
  - Update.exe (PID: 1744)
  - WeMod.exe (PID: 3172)
  - WeMod.exe (PID: 6588)
  - Update.exe (PID: 1544)
- Reads the machine GUID from the registry
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 2324)
  - Update.exe (PID: 5080)
  - Update.exe (PID: 1544)
  - WeModAuxiliaryService.exe (PID: 4984)
- Reads Environment values
  - WeMod-Setup.exe (PID: 6284)
  - WeMod.exe (PID: 2928)
  - Update.exe (PID: 2324)
  - WeMod.exe (PID: 3172)
  - Update.exe (PID: 1544)
- Creates files or folders in the user directory
  - WeMod-Setup-638714792643364968.exe (PID: 5556)
  - Update.exe (PID: 2324)
  - Update.exe (PID: 5080)
  - squirrel.exe (PID: 5588)
  - Update.exe (PID: 1744)
  - WeMod.exe (PID: 3172)
  - Update.exe (PID: 1544)
  - WeMod.exe (PID: 2092)
  - WeMod-Setup.exe (PID: 6284)
  - WeModAuxiliaryService.exe (PID: 4984)
- Checks supported languages
  - Update.exe (PID: 2324)
  - WeMod.exe (PID: 2928)
  - Update.exe (PID: 5080)
  - squirrel.exe (PID: 5588)
  - Update.exe (PID: 1744)
  - WeMod.exe (PID: 6588)
  - WeMod.exe (PID: 2092)
  - WeMod.exe (PID: 3172)
  - WeMod.exe (PID: 6192)
  - Update.exe (PID: 1544)
  - WeModAuxiliaryService.exe (PID: 4984)
  - WeMod.exe (PID: 1228)
  - WeMod-Setup.exe (PID: 6284)
- Create files in a temporary directory
  - Update.exe (PID: 2324)
  - WeMod.exe (PID: 3172)
  - Update.exe (PID: 1544)
  - WeMod-Setup.exe (PID: 6284)
- The sample compiled with english language support
  - Update.exe (PID: 2324)
- The process uses the downloaded file
  - Update.exe (PID: 2324)
  - Update.exe (PID: 1744)
  - WeMod-Setup.exe (PID: 6284)
- Process checks computer location settings
  - Update.exe (PID: 2324)
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 1744)
  - WeMod.exe (PID: 6192)
  - WeMod.exe (PID: 1228)
- Reads product name
  - WeMod.exe (PID: 2928)
  - WeMod.exe (PID: 3172)
- Disables trace logs
  - Update.exe (PID: 2324)
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 1544)
- Reads the software policy settings
  - Update.exe (PID: 2324)
  - WeMod-Setup.exe (PID: 6284)
  - Update.exe (PID: 1544)
  - WeModAuxiliaryService.exe (PID: 4984)
- Checks proxy server information
  - WeModAuxiliaryService.exe (PID: 4984)
  - WeMod-Setup.exe (PID: 6284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2076:12:06 19:29:50+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	105984
InitializedDataSize:	28160
UninitializedDataSize:	-
EntryPoint:	0x1bcfe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	8.0.0.0
ProductVersionNumber:	8.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	WeMod Setup
CompanyName:	WeMod LLC
FileDescription:	WeMod Setup
FileVersion:	8.0.0.0
InternalName:	WeMod-Setup.exe
LegalCopyright:	Copyright © WeMod LLC 2022
LegalTrademarks:	-
OriginalFileName:	WeMod-Setup.exe
ProductName:	WeMod
ProductVersion:	8.0.0.0
AssemblyVersion:	8.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1228

"C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\admin\AppData\Local\WeMod\app-9.21.0\resources\app.asar" --enable-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3640,i,11004225269621478822,13163667652735573069,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:1

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe

—

WeMod.exe

User:

admin

Company:

WeMod

Integrity Level:

LOW

Description:

WeMod - Cheats and Mods

Version:

9.21.0

1544

C:\Users\admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable?osVersion=10.0.19045

C:\Users\admin\AppData\Local\WeMod\Update.exe

WeMod.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\wemod\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1744

"C:\Users\admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://?_inst=7gKvqatsG6HNvutj"

C:\Users\admin\AppData\Local\WeMod\Update.exe

—

WeMod-Setup.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\wemod\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2092

"C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\admin\AppData\Roaming\WeMod" --field-trial-handle=2172,i,11004225269621478822,13163667652735573069,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:3

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe

WeMod.exe

User:

admin

Company:

WeMod

Integrity Level:

MEDIUM

Description:

WeMod - Cheats and Mods

Version:

9.21.0

Modules

Images
c:\users\admin\appdata\local\wemod\app-9.21.0\wemod.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2324

"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent

C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe

WeMod-Setup-638714792643364968.exe

User:

admin

Company:

GitHub

Integrity Level:

MEDIUM

Description:

Update

Exit code:

Version:

2.0.1.53

Modules

Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2928

"C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe" --squirrel-install 9.21.0

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe

—

Update.exe

User:

admin

Company:

WeMod

Integrity Level:

MEDIUM

Description:

WeMod - Cheats and Mods

Exit code:

Version:

9.21.0

Modules

Images
c:\users\admin\appdata\local\wemod\app-9.21.0\wemod.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\combase.dll

3172

"C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe" wemod://?_inst=7gKvqatsG6HNvutj

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe

—

Update.exe

User:

admin

Company:

WeMod

Integrity Level:

MEDIUM

Description:

WeMod - Cheats and Mods

Version:

9.21.0

Modules

Images
c:\users\admin\appdata\local\wemod\app-9.21.0\wemod.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\users\admin\appdata\local\wemod\app-9.21.0\ffmpeg.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

4984

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1735882511236_Out

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe

WeMod.exe

User:

admin

Company:

WeMod LLC

Integrity Level:

MEDIUM

Description:

WeMod

Version:

7.2.0.0

5080

C:\Users\admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe

C:\Users\admin\AppData\Local\WeMod\Update.exe

—

WeMod.exe

User:

admin

Company:

GitHub

Integrity Level:

MEDIUM

Description:

Update

Exit code:

Version:

2.0.1.53

Modules

Images
c:\users\admin\appdata\local\wemod\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5432

"C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\admin\AppData\Local\WeMod\app-9.21.0\resources\app.asar" --enable-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2604,i,11004225269621478822,13163667652735573069,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1

C:\Users\admin\AppData\Local\WeMod\app-9.21.0\WeMod.exe

—

WeMod.exe

User:

admin

Company:

WeMod

Integrity Level:

LOW

Description:

WeMod - Cheats and Mods

Version:

9.21.0

Add for printing

Total events

10 391

Read events

10 326

Write events

Delete events

Modification events


(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6284) WeMod-Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod-Setup_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

Add for printing

Executable files

Suspicious files

119

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6284	WeMod-Setup.exe	C:\Users\admin\AppData\Local\Temp\WeMod-Setup-638714792643364968.exe		—
		MD5:—	SHA256:—
5556	WeMod-Setup-638714792643364968.exe	C:\Users\admin\AppData\Local\SquirrelTemp\WeMod-9.21.0-full.nupkg		—
		MD5:—	SHA256:—
2324	Update.exe	C:\Users\admin\AppData\Local\WeMod\packages\WeMod-9.21.0-full.nupkg		—
		MD5:—	SHA256:—
6284	WeMod-Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\Inter-ExtraLight-7d759358c1[1].woff		binary
		MD5:7D759358C1372FA6ACAE4CB22F93DEFA	SHA256:07F5B5F734793F48613D8DA246F4DB2B564BFA7149F62526326BE9CB8BB94841
6284	WeMod-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:47D1C60CCC14B2244420ABC9D69FC1C1	SHA256:B4157239434B48AFC9D772141203A56F2D7A6FE13F213C27830BBF35C36A21A1
6284	WeMod-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:67E486B2F148A3FCA863728242B6273E	SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB
6284	WeMod-Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\Inter-Bold-45e58f4054[1].woff		binary
		MD5:45E58F4054A3AD886E4582E1D43056FE	SHA256:57027B1C72507C75CF9FC21DCBBBD4366F01901B598764CB8703DFA4988A60CA
2324	Update.exe	C:\Users\admin\AppData\Local\WeMod\app-9.21.0\icudtl.dat		—
		MD5:—	SHA256:—
6284	WeMod-Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\Inter-Light-0f0118feb7[1].woff		binary
		MD5:0F0118FEB71664927EA7FB8015778795	SHA256:CB671D0DBC9A61EC80BFC91D5879E8635A09B7F309F5EE57810D4C6B7A26EE0C
6284	WeMod-Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\setup[1].htm		html
		MD5:D8692111A47203D9C6C602A5CE0E4D27	SHA256:BE276906ECD78FEC0882675EDBA3B85F3D00252C52BF63B0D1929E3BB239012B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6284	WeMod-Setup.exe	GET	200	142.250.185.227:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6284	WeMod-Setup.exe	GET	200	142.250.185.227:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
—	—	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5780	svchost.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6164	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6672	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6164	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4984	WeModAuxiliaryService.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4864	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	2.19.80.89:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5780	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6284	WeMod-Setup.exe	172.67.25.118:443	api.wemod.com	CLOUDFLARENET	US	whitelisted
6284	WeMod-Setup.exe	142.250.185.227:80	c.pki.goog	GOOGLE	US	whitelisted
5780	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.19.80.89 2.19.80.27	whitelisted
google.com	216.58.206.78	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
api.wemod.com	172.67.25.118 104.22.42.75 104.22.43.75	whitelisted
c.pki.goog	142.250.185.227	whitelisted
storage-cdn.wemod.com	172.67.25.118 104.22.43.75 104.22.42.75	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.138	whitelisted
www.microsoft.com	23.38.73.129	whitelisted
login.live.com	20.190.159.73 20.190.159.75 40.126.31.69 20.190.159.0 20.190.159.4 20.190.159.64 40.126.31.71 20.190.159.71	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

WeMod-Setup.exe

65CF26AE6C77EC08315F767C146AC6D2

93E7CC33B62BFBFF50584B1C300E95D7DD2740BB

67FC030A68F6929D5E614787B9ECA01A7C8BBB6184204CCB76A5C647C1C2506D

1536:Q668Dtf9nk7RBog5KG6JkOiVPL+09ME5LBtJD64uQgCYO6+YFyHA7OqCkNRBog5m:w8DvE57miVj+J6pHdHg7OA57N/u

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

Reads Internet Explorer settings

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads the date of Windows installation

Searches for installed software

Creates a software uninstall entry

Application launched itself

INFO

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Creates files or folders in the user directory

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

The process uses the downloaded file

Process checks computer location settings

Reads product name

Disables trace logs

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings