lumma | 336cd19c7a8b2f3ca8caca28150974099e524cea2fa8f08de617695cd8e903ec

Analysis

max time kernel
820s
max time network
635s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STAR WARS Jedi Fallen Order Trainer Setup.exe
Size

141KB
MD5

25a9688348b8a423b6459a62f013f9b2
SHA1

cd41c84250757633ee4a2802ed447eb98719bfe4
SHA256

336cd19c7a8b2f3ca8caca28150974099e524cea2fa8f08de617695cd8e903ec
SHA512

909b3b12374f550dc87df2e590c07925816a0eee40bc5d04ddfedb4bf7f5d5ac671c4e12786e86d6c41335590a4ef881a4c3cd200eb53d9e6a2ed294299bbc15
SSDEEP

3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt

Score

10^/10

lumma discovery stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

WeMod-Setup-638159643816762000.exeUpdate.exeSquirrel.exeWeMod.exeUpdate.exeWeMod.exe

pid process

1580 WeMod-Setup-638159643816762000.exe
1160 Update.exe
1720 Squirrel.exe
928 WeMod.exe
1996 Update.exe
1880 WeMod.exe
Loads dropped DLL 3 IoCs

Processes:

WeMod-Setup-638159643816762000.exeWeMod.exeWeMod.exe

pid process

1580 WeMod-Setup-638159643816762000.exe
928 WeMod.exe
1880 WeMod.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1580	WeMod-Setup-638159643816762000.exe
1160	Update.exe
1720	Squirrel.exe
928	WeMod.exe
1996	Update.exe
1880	WeMod.exe

pid	process
1580	WeMod-Setup-638159643816762000.exe
928	WeMod.exe
1880	WeMod.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

STAR WARS Jedi Fallen Order Trainer Setup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1"	STAR WARS Jedi Fallen Order Trainer Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	STAR WARS Jedi Fallen Order Trainer Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34"	STAR WARS Jedi Fallen Order Trainer Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "34"	STAR WARS Jedi Fallen Order Trainer Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	STAR WARS Jedi Fallen Order Trainer Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com	STAR WARS Jedi Fallen Order Trainer Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "34"	STAR WARS Jedi Fallen Order Trainer Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage	STAR WARS Jedi Fallen Order Trainer Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com	STAR WARS Jedi Fallen Order Trainer Setup.exe

Modifies registry class 7 IoCs

Processes:

WeMod.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\ = "URL:wemod"	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\shell\open\command	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\shell	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\shell\open	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.5.0\\WeMod.exe\" \"%1\""	WeMod.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod	WeMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\wemod\URL Protocol	WeMod.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Update.exeWeMod.exe

pid process

1160 Update.exe
1160 Update.exe
1880 WeMod.exe
1880 WeMod.exe

pid	process
1160	Update.exe
1160	Update.exe
1880	WeMod.exe
1880	WeMod.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

STAR WARS Jedi Fallen Order Trainer Setup.exeUpdate.exeWeMod.exe

description	pid	process
Token: SeDebugPrivilege	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe
Token: SeDebugPrivilege	1160	Update.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe
Token: SeShutdownPrivilege	1880	WeMod.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

STAR WARS Jedi Fallen Order Trainer Setup.exe

pid process

1704 STAR WARS Jedi Fallen Order Trainer Setup.exe
1704 STAR WARS Jedi Fallen Order Trainer Setup.exe

pid	process
1704	STAR WARS Jedi Fallen Order Trainer Setup.exe
1704	STAR WARS Jedi Fallen Order Trainer Setup.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

STAR WARS Jedi Fallen Order Trainer Setup.exeWeMod-Setup-638159643816762000.exeUpdate.exeUpdate.exeWeMod.exe

description	pid	process	target process
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1704 wrote to memory of 1580	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	WeMod-Setup-638159643816762000.exe
PID 1580 wrote to memory of 1160	1580	WeMod-Setup-638159643816762000.exe	Update.exe
PID 1580 wrote to memory of 1160	1580	WeMod-Setup-638159643816762000.exe	Update.exe
PID 1580 wrote to memory of 1160	1580	WeMod-Setup-638159643816762000.exe	Update.exe
PID 1580 wrote to memory of 1160	1580	WeMod-Setup-638159643816762000.exe	Update.exe
PID 1160 wrote to memory of 1720	1160	Update.exe	Squirrel.exe
PID 1160 wrote to memory of 1720	1160	Update.exe	Squirrel.exe
PID 1160 wrote to memory of 1720	1160	Update.exe	Squirrel.exe
PID 1160 wrote to memory of 928	1160	Update.exe	WeMod.exe
PID 1160 wrote to memory of 928	1160	Update.exe	WeMod.exe
PID 1160 wrote to memory of 928	1160	Update.exe	WeMod.exe
PID 1160 wrote to memory of 928	1160	Update.exe	WeMod.exe
PID 1704 wrote to memory of 1996	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	Update.exe
PID 1704 wrote to memory of 1996	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	Update.exe
PID 1704 wrote to memory of 1996	1704	STAR WARS Jedi Fallen Order Trainer Setup.exe	Update.exe
PID 1996 wrote to memory of 1880	1996	Update.exe	WeMod.exe
PID 1996 wrote to memory of 1880	1996	Update.exe	WeMod.exe
PID 1996 wrote to memory of 1880	1996	Update.exe	WeMod.exe
PID 1996 wrote to memory of 1880	1996	Update.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe
PID 1880 wrote to memory of 1292	1880	WeMod.exe	WeMod.exe

C:\Users\Admin\AppData\Local\Temp\STAR WARS Jedi Fallen Order Trainer Setup.exe
"C:\Users\Admin\AppData\Local\Temp\STAR WARS Jedi Fallen Order Trainer Setup.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638159643816762000.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638159643816762000.exe" --silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\Squirrel.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
4⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe" --squirrel-install 8.5.0
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928

C:\Users\Admin\AppData\Local\WeMod\Update.exe
"C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://titles/36630?_inst=uEUkR6DhRtf5Kszg"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe" wemod://titles/36630?_inst=uEUkR6DhRtf5Kszg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
"C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1000 --field-trial-handle=1084,i,7024060540314033899,3835887462345559318,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
Filesize
76B

MD5
0b90c6926befa5dbf6d2d8d97e650ea5

SHA1
0c8e2327f01a4c6455a42d5f18e56242d2658082

SHA256
18fc2d9a4c3405043bcd54b2c8193f1fd110a531b83177b168ba3d25bac8ed11

SHA512
24da3d6bddf930d80e04798f5fe60db73748eeeae8238de5bb5a5b7d98df73d66a456159be819d574d5ff5fc6f0663c57ea3044892b810549c26aca168ce8491

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
Filesize
1.8MB

MD5
1f4c7ac0f30d95edbe542b77bbdb5ed2

SHA1
f95163ed631e57fc478fa74f5d31ca5106b5c95b

SHA256
6d38745793e383f922f90719d5a9444ddaf9d8a25ae7ad83450a58e4564fe41c

SHA512
e9b9aab1dfbef58a1bf6228e3e820f5b8673c73d53ea28b1519f1ba66fe9dab7c8dc3ba78315e73cfc7f28fce04167c6c4badbf191d9ee5df48d306483d7238a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
Filesize
1.8MB

MD5
1f4c7ac0f30d95edbe542b77bbdb5ed2

SHA1
f95163ed631e57fc478fa74f5d31ca5106b5c95b

SHA256
6d38745793e383f922f90719d5a9444ddaf9d8a25ae7ad83450a58e4564fe41c

SHA512
e9b9aab1dfbef58a1bf6228e3e820f5b8673c73d53ea28b1519f1ba66fe9dab7c8dc3ba78315e73cfc7f28fce04167c6c4badbf191d9ee5df48d306483d7238a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\WeMod-8.5.0-full.nupkg
Filesize
98.1MB

MD5
660861f1171364698499519c06c22d57

SHA1
30142d06e585bfc832f7fe2b9afbb933f928ac6f

SHA256
4fe7046f9e17618013c0f8038d607ddac3738cf814ace553724bb20a24e4a34c

SHA512
1bc16c595db7f6b7408de8d46c8ba0f2a7869442875624f530ca13c8685c5ddcbb8448c738f1c97c0f2905dc9383689fb7351e4f55df646fe552de664e1a4c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638159643816762000.exe
Filesize
98.9MB

MD5
0a79ca5414d0b397ed93437a694622bc

SHA1
882ce3a09f39a9f2b72b7187d92d37fb9d7de57a

SHA256
af93691dcdacad747705b4fd30685b2a3c87edaf30b95db44151905678e3c934

SHA512
8d8abe9214e1fd4cbdccb5d51e0b19be6767b915a44aa15dccbfe3770a07cb6d806a35b7ac0cfeb276b21e15189869ac02aaf5938e42e3dbd931c89c81e21dac

Download Submit
C:\Users\Admin\AppData\Local\WeMod\Update.exe
Filesize
1.8MB

MD5
72d640aa4ca25f2e9bb6bf63433a2808

SHA1
bc03640081764bf26c9888a252126bf5fa150595

SHA256
e5eb13cd6018bfb0b8576f37f1f9001e299a33f95d0fb59366c57cadb4d1afc7

SHA512
ad37209d607076706d3eb14d12e3b2b371d4ebe14ecce4a602e9e670f22af7e0de422b3bfab75452ee9ec1619fb4e2856edef3a4ab31bd343be15a8b9ea8ab5f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\Update.exe
Filesize
1.8MB

MD5
72d640aa4ca25f2e9bb6bf63433a2808

SHA1
bc03640081764bf26c9888a252126bf5fa150595

SHA256
e5eb13cd6018bfb0b8576f37f1f9001e299a33f95d0fb59366c57cadb4d1afc7

SHA512
ad37209d607076706d3eb14d12e3b2b371d4ebe14ecce4a602e9e670f22af7e0de422b3bfab75452ee9ec1619fb4e2856edef3a4ab31bd343be15a8b9ea8ab5f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\Update.exe
Filesize
1.8MB

MD5
72d640aa4ca25f2e9bb6bf63433a2808

SHA1
bc03640081764bf26c9888a252126bf5fa150595

SHA256
e5eb13cd6018bfb0b8576f37f1f9001e299a33f95d0fb59366c57cadb4d1afc7

SHA512
ad37209d607076706d3eb14d12e3b2b371d4ebe14ecce4a602e9e670f22af7e0de422b3bfab75452ee9ec1619fb4e2856edef3a4ab31bd343be15a8b9ea8ab5f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\Squirrel.exe
Filesize
1.8MB

MD5
72d640aa4ca25f2e9bb6bf63433a2808

SHA1
bc03640081764bf26c9888a252126bf5fa150595

SHA256
e5eb13cd6018bfb0b8576f37f1f9001e299a33f95d0fb59366c57cadb4d1afc7

SHA512
ad37209d607076706d3eb14d12e3b2b371d4ebe14ecce4a602e9e670f22af7e0de422b3bfab75452ee9ec1619fb4e2856edef3a4ab31bd343be15a8b9ea8ab5f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
Filesize
127.9MB

MD5
f663c2b81feb82e55f4bb297116dae17

SHA1
6b210465569dc0081950c390b96fb4dcdd79bcbe

SHA256
10df644e3ba80f0628e02ab1a102d65d949940fe6b2bb4afe1d43d29b92dcf8f

SHA512
73e8fc4b663fdd82c5fc6a61c860dd8cde6c754b7995200e018eaf76c56b51743d53c60b5ab18fedeaea2a380eb49822d2af767c10588203961099b2406c7efc

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
Filesize
127.9MB

MD5
f663c2b81feb82e55f4bb297116dae17

SHA1
6b210465569dc0081950c390b96fb4dcdd79bcbe

SHA256
10df644e3ba80f0628e02ab1a102d65d949940fe6b2bb4afe1d43d29b92dcf8f

SHA512
73e8fc4b663fdd82c5fc6a61c860dd8cde6c754b7995200e018eaf76c56b51743d53c60b5ab18fedeaea2a380eb49822d2af767c10588203961099b2406c7efc

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
Filesize
127.9MB

MD5
f663c2b81feb82e55f4bb297116dae17

SHA1
6b210465569dc0081950c390b96fb4dcdd79bcbe

SHA256
10df644e3ba80f0628e02ab1a102d65d949940fe6b2bb4afe1d43d29b92dcf8f

SHA512
73e8fc4b663fdd82c5fc6a61c860dd8cde6c754b7995200e018eaf76c56b51743d53c60b5ab18fedeaea2a380eb49822d2af767c10588203961099b2406c7efc

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\WeMod.exe
Filesize
127.9MB

MD5
f663c2b81feb82e55f4bb297116dae17

SHA1
6b210465569dc0081950c390b96fb4dcdd79bcbe

SHA256
10df644e3ba80f0628e02ab1a102d65d949940fe6b2bb4afe1d43d29b92dcf8f

SHA512
73e8fc4b663fdd82c5fc6a61c860dd8cde6c754b7995200e018eaf76c56b51743d53c60b5ab18fedeaea2a380eb49822d2af767c10588203961099b2406c7efc

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\chrome_100_percent.pak
Filesize
126KB

MD5
44a69827d4aa75426f3c577af2f8618e

SHA1
7bdd115425b05414b64dcdb7d980b92ecd3f15b3

SHA256
bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

SHA512
5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\chrome_200_percent.pak
Filesize
175KB

MD5
9c379fc04a7bf1a853b14834f58c9f4b

SHA1
c105120fd00001c9ebdf2b3b981ecccb02f8eefb

SHA256
b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

SHA512
f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\ffmpeg.dll
Filesize
2.4MB

MD5
fe1bd381ac07068295f1990e794ada6c

SHA1
3a8c8cfa51d33453392f776be88b9bec50d561ad

SHA256
93f1c82567e50b17ae3270e748d3b1456b260cb718cd20f49b4197c864b1a464

SHA512
78ef7486cc8ddb940c4b3710dd567b9918daea06b4e86740a2fc51a0384638c0bafbadd40d3e37f99af1bf8e5bd1c951f1c1ea3d876494a4d323834f330c781f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\icudtl.dat
Filesize
10.0MB

MD5
cf9421b601645bda331c7136a0a9c3f8

SHA1
9950d66df9022f1caa941ab0e9647636f7b7a286

SHA256
8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5

SHA512
bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\locales\en-US.pak
Filesize
302KB

MD5
3fef69b20e6f9599e9c2369398e571c0

SHA1
92be2b65b62938e6426ab333c82d70d337666784

SHA256
a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c

SHA512
3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\resources.pak
Filesize
5.2MB

MD5
f24c85d2b898b6b4de118f6a2e63a244

SHA1
731adfc20807874b70bda7e2661e66ff6987e069

SHA256
aca9267dd8f530135d67240aa897112467bae77cd5fe1a549c69732fdf2803c6

SHA512
b49f6a4eb870b01b48b4cfbf5a73c1727cf7847a9505f7c11ce6befdbef868484867f6e0ac66aea8177ca5cab2abba1cae5ac626a8e3f44fc001cac0fe820c61

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\resources\app.asar
Filesize
6.5MB

MD5
b74477056326a2c0e27a0da6c25422af

SHA1
d8f501d8b4c485f46fae9d9f80c0a2bb2afa912f

SHA256
ae7368363955d479f3afbd0c0d00c3e22cb0f32fa6b2dcf1a782a94a3dc21df8

SHA512
49f7e52847906baa40ba282efd227a2a649d548cdfb42476a9020ae9ad53f308d8aa6d487a194b9208b83bcf545cbea7ae0d3bcd9b294769f132adfde140bd4e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\resources\app.asar.unpacked\static\unpacked\icon.ico
Filesize
279KB

MD5
34ee19ccd44f31cd831dc50920f19890

SHA1
24545d2f4741fb5a4649840486ffd3597b7ade5b

SHA256
136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d

SHA512
ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\squirrel.exe
Filesize
1.8MB

MD5
72d640aa4ca25f2e9bb6bf63433a2808

SHA1
bc03640081764bf26c9888a252126bf5fa150595

SHA256
e5eb13cd6018bfb0b8576f37f1f9001e299a33f95d0fb59366c57cadb4d1afc7

SHA512
ad37209d607076706d3eb14d12e3b2b371d4ebe14ecce4a602e9e670f22af7e0de422b3bfab75452ee9ec1619fb4e2856edef3a4ab31bd343be15a8b9ea8ab5f

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-8.5.0\v8_context_snapshot.bin
Filesize
590KB

MD5
dd9ca4878bba782613cba372de1c36f4

SHA1
2eefcb6fcaa4b2ed717c952895710be5701871a7

SHA256
ea33ca96024769386ae0ff100c2ae239507006d7340f1f8bbc5bcfb4195f9226

SHA512
0791d3827a6de5745d3424c562b16604cf311ed6fcb4cf62d2c7f54ec0b7f3535b1114e919d2ba6d144cbe9f45418a555ab3fd801078bd8d563a656796f5d4e6

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES
Filesize
76B

MD5
0b90c6926befa5dbf6d2d8d97e650ea5

SHA1
0c8e2327f01a4c6455a42d5f18e56242d2658082

SHA256
18fc2d9a4c3405043bcd54b2c8193f1fd110a531b83177b168ba3d25bac8ed11

SHA512
24da3d6bddf930d80e04798f5fe60db73748eeeae8238de5bb5a5b7d98df73d66a456159be819d574d5ff5fc6f0663c57ea3044892b810549c26aca168ce8491

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\RELEASES
Filesize
76B

MD5
0b90c6926befa5dbf6d2d8d97e650ea5

SHA1
0c8e2327f01a4c6455a42d5f18e56242d2658082

SHA256
18fc2d9a4c3405043bcd54b2c8193f1fd110a531b83177b168ba3d25bac8ed11

SHA512
24da3d6bddf930d80e04798f5fe60db73748eeeae8238de5bb5a5b7d98df73d66a456159be819d574d5ff5fc6f0663c57ea3044892b810549c26aca168ce8491

Download Submit
C:\Users\Admin\AppData\Local\WeMod\packages\WeMod-8.5.0-full.nupkg
Filesize
98.1MB

MD5
660861f1171364698499519c06c22d57

SHA1
30142d06e585bfc832f7fe2b9afbb933f928ac6f

SHA256
4fe7046f9e17618013c0f8038d607ddac3738cf814ace553724bb20a24e4a34c

SHA512
1bc16c595db7f6b7408de8d46c8ba0f2a7869442875624f530ca13c8685c5ddcbb8448c738f1c97c0f2905dc9383689fb7351e4f55df646fe552de664e1a4c6f

Download Submit
C:\Users\Admin\AppData\Roaming\WeMod\Local Storage\leveldb\CURRENT~RF6d911a.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
Filesize
1.8MB

MD5
1f4c7ac0f30d95edbe542b77bbdb5ed2

SHA1
f95163ed631e57fc478fa74f5d31ca5106b5c95b

SHA256
6d38745793e383f922f90719d5a9444ddaf9d8a25ae7ad83450a58e4564fe41c

SHA512
e9b9aab1dfbef58a1bf6228e3e820f5b8673c73d53ea28b1519f1ba66fe9dab7c8dc3ba78315e73cfc7f28fce04167c6c4badbf191d9ee5df48d306483d7238a

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.5.0\ffmpeg.dll
Filesize
2.4MB

MD5
fe1bd381ac07068295f1990e794ada6c

SHA1
3a8c8cfa51d33453392f776be88b9bec50d561ad

SHA256
93f1c82567e50b17ae3270e748d3b1456b260cb718cd20f49b4197c864b1a464

SHA512
78ef7486cc8ddb940c4b3710dd567b9918daea06b4e86740a2fc51a0384638c0bafbadd40d3e37f99af1bf8e5bd1c951f1c1ea3d876494a4d323834f330c781f

Download Submit
\Users\Admin\AppData\Local\WeMod\app-8.5.0\ffmpeg.dll
Filesize
2.4MB

MD5
fe1bd381ac07068295f1990e794ada6c

SHA1
3a8c8cfa51d33453392f776be88b9bec50d561ad

SHA256
93f1c82567e50b17ae3270e748d3b1456b260cb718cd20f49b4197c864b1a464

SHA512
78ef7486cc8ddb940c4b3710dd567b9918daea06b4e86740a2fc51a0384638c0bafbadd40d3e37f99af1bf8e5bd1c951f1c1ea3d876494a4d323834f330c781f

Download Submit
memory/1160-242-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/1160-135-0x0000000001390000-0x0000000001566000-memory.dmp

Filesize
1.8MB

Download
memory/1160-139-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/1292-295-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1704-104-0x0000000022530000-0x0000000022CD6000-memory.dmp

Filesize
7.6MB

Download
memory/1704-55-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-119-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-56-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-120-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-136-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-57-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-121-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1704-54-0x0000000000D50000-0x0000000000D76000-memory.dmp

Filesize
152KB

Download
memory/1720-240-0x00000000011F0000-0x00000000013CC000-memory.dmp

Filesize
1.9MB

Download
memory/1880-355-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1996-273-0x00000000002A0000-0x000000000047C000-memory.dmp

Filesize
1.9MB

Download