meduza | f6de40a0e0c5b51daa70456189d10f7fc1e7dcd36168cf8afcb17035efda6686

Analysis

max time kernel
48s
max time network
214s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 10:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WeChat.exe
Size

644KB
MD5

66eb21741ecfc2a8a53a24d65ec7a40a
SHA1

6d70532a0b9a1012da004bb78461fff8d9845253
SHA256

64cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8
SHA512

47289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be
SSDEEP

6144:GYEMF2LJ65kzLpKhlD24mjLrTeXivA29PR7YK:GYEtLJ65kzLpA1VOr9J/N

Score

10^/10

meduza evasion stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 7 IoCs

resource	yara_rule
behavioral19/files/0x000500000001a46e-151.dat	family_meduza
behavioral19/files/0x000500000001a46e-154.dat	family_meduza
behavioral19/files/0x000500000001a46e-174.dat	family_meduza
behavioral19/files/0x000500000001a46e-184.dat	family_meduza
behavioral19/files/0x000500000001a46e-261.dat	family_meduza
behavioral19/files/0x000500000001a46e-347.dat	family_meduza
behavioral19/files/0x000500000001a46e-561.dat	family_meduza

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WeChat.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WeChat.exe

Executes dropped EXE 4 IoCs

pid	Process
612	WeChatAppEx.exe
2184	WechatAppEx.exe
1608	WeChatAppEx.exe
1720	WeChatAppEx.exe

Loads dropped DLL 22 IoCs

pid	Process
2520	WeChat.exe
2520	WeChat.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
2184	WechatAppEx.exe
2184	WechatAppEx.exe
2184	WechatAppEx.exe
2184	WechatAppEx.exe
2184	WechatAppEx.exe
2184	WechatAppEx.exe
1608	WeChatAppEx.exe
1608	WeChatAppEx.exe
1608	WeChatAppEx.exe
1608	WeChatAppEx.exe
1608	WeChatAppEx.exe
1608	WeChatAppEx.exe
1720	WeChatAppEx.exe
1720	WeChatAppEx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WechatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WechatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	WeChat.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\shell\open\command	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\shell\open	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\" \"%1\""	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\ = "weixinProtocol"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\DefaultIcon	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\shell	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\URL Protocol = "weixinProtocol"	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\weixin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe,1"	WeChat.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2520	WeChat.exe
2520	WeChat.exe
612	WeChatAppEx.exe
612	WeChatAppEx.exe
2520	WeChat.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe
Token: SeShutdownPrivilege	612	WeChatAppEx.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2508	2520	WeChat.exe	30
PID 2520 wrote to memory of 2508	2520	WeChat.exe	30
PID 2520 wrote to memory of 2508	2520	WeChat.exe	30
PID 2520 wrote to memory of 612	2520	WeChat.exe	32
PID 2520 wrote to memory of 612	2520	WeChat.exe	32
PID 2520 wrote to memory of 612	2520	WeChat.exe	32
PID 612 wrote to memory of 2184	612	WeChatAppEx.exe	33
PID 612 wrote to memory of 2184	612	WeChatAppEx.exe	33
PID 612 wrote to memory of 2184	612	WeChatAppEx.exe	33
PID 612 wrote to memory of 1608	612	WeChatAppEx.exe	34
PID 612 wrote to memory of 1608	612	WeChatAppEx.exe	34
PID 612 wrote to memory of 1608	612	WeChatAppEx.exe	34
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35
PID 612 wrote to memory of 1720	612	WeChatAppEx.exe	35

C:\Users\Admin\AppData\Local\Temp\WeChat.exe
"C:\Users\Admin\AppData\Local\Temp\WeChat.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\[3.9.9.43]\mmcrashpad_handler64.exe
  C:\Users\Admin\AppData\Local\Temp\[3.9.9.43]\mmcrashpad_handler64.exe --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=crash_notify=1 "--annotation=ext_info={\"app_call_name\":\"微信\",\"app_name\":\"WechatWindows\",\"app_path\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\",\"dwbuild\":\"43\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\crash\",\"major_ver\":\"3\",\"minor_ver\":\"0\",\"module_name\":\"Wechat_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\[3.9.9.43]\",\"product\":\"WECHAT\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"3\",\"version\":\"1661536555\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=product=WECHAT --initial-client-data=0x2f0,0x308,0x30c,0x310,0x300,0x2f4,0x7fef139e3f8,0x7fef139e438,0x7fef139e468
  2⤵
  PID:2508
- C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe" --log-level=2 --helper-handle-value=749422580 --wechat-files-path="C:\Users\Admin\Documents\WeChat Files\\" --product-id=1000 --wechat-sub-user-agent="MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x6309092b)" --wmpf_extra_config="{ \"reportId\":-1, \"version\":8555 }" --web-translate --client_version=1661536555 --wmpf-mojo-handle=2712
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WechatAppEx.exe
    C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WechatAppEx.exe --type=crashpad-handler --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=crash_notify=0 "--annotation=ext_info={\"app_call_name\":\"\",\"app_path\":\"\",\"ext_param1\":\"2.1.0.8555\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\radium\\web\\crash\",\"module_name\":\"XWeb_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\XPlugin\\Plugins\\RadiumWMPF\\8555\\extracted\\runtime\",\"product\":\"browser\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"1\",\"version\":\"1661536555\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=product=browser --initial-client-data=0x43c,0x440,0x444,0x448,0x3e4,0x44c,0x147d23d68,0x147d23da8,0x147d23dd8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2184
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --ignore-certificate-errors --log-level=2 --ignore-certificate-errors --enable-crash-reporter --client_version=1661536555 --product-id=1000 --log-level=2 --mojo-platform-channel-handle=1560 --field-trial-handle=1692,i,2448042394634851177,17557804283617450831,131072 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,kXWorker --disable-features=AnonymousIframeOriginTrial,AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1608
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --enable-crash-reporter --client_version=1661536555 --product-id=1000 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-level=2 --mojo-platform-channel-handle=1588 --field-trial-handle=1692,i,2448042394634851177,17557804283617450831,131072 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,kXWorker --disable-features=AnonymousIframeOriginTrial,AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1720
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --enable-crash-reporter --client_version=1661536555 --product-id=1000 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-level=2 --mojo-platform-channel-handle=2144 --field-trial-handle=1692,i,2448042394634851177,17557804283617450831,131072 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,kXWorker --disable-features=AnonymousIframeOriginTrial,AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_4B8278BA8F55C23F8BC7CF648BA27BCC

Filesize
471B

MD5
5d35d2adccef6c14039478c0ad34ef4e

SHA1
65c142d4f49336c35204b9c5526da0b9720e639e

SHA256
8f435c8d26b7c40b5d9c620496545b3f50b5bbaeb8cc4cd5a4854f98e6c26c86

SHA512
97b8b445d1693ca76dd3186a3411b1aca056c49c35f3c1ab0009410e35bb8563178536edc363a798c38489705137bac68b52e4ade26732af74a8ebbb7914c3ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9

Filesize
471B

MD5
f159f9e7b10d12df0b0affb8816fca9b

SHA1
d1eca47979b7753b23bbfca78c23100de02b3cd4

SHA256
9af89954cead6b36c020aeb01a5ab140c74da5afba7603911f31747aa1db04d1

SHA512
e4717a3b6db666248c1da159ea1cc3f45bfaa5052dc812e5a58051fb8678a433ad53d2051c0528fd1096757497c4f789fb111571256eacc6ff480d6a218bedcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e245aac82982389e2ba9114d29938658

SHA1
01cd8bf42fb993db0ec0c0598dea1ac8f164db30

SHA256
a8786aa2093c32434bef1f871ac1650733651b6b364c955cb141751974ccbc9b

SHA512
00023ae0e313d57490dc6ff22c2f789a07e043f7de16fb3ca81deb50557051fd2b584ba27246ba0cc847468476a7740517832ef66a6cba2e6138f6ab8a4f58da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3a373797966f08461170a51fd0fff9a

SHA1
a6d7c5b2783fcb82b83a188b7e9615fee2725da9

SHA256
ae8b7470e6004ae82e3feae1fce144477480dfe9e1a899880959ded490d39d94

SHA512
5602108597e0b4b50cc05cb69e894804a8106d97b7b533dd78bc50375d578fec9b540caf3b24ca56c47382bd1fa9c8ef2c74ea72866b19834f3d15b660f2a32c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f0c1dd1aa7d0e4bc1ecf14f5ceb97a1

SHA1
d5ec6532dd3c28203c92a5e0cadb065a897eeab5

SHA256
44e626f7d4e40b3c4eff4eb7b8852037884455778f341b0a185332a817cc08de

SHA512
359b04342a43ad2f5759e553f813cf5e9786736c21534048cc48caea8f4b9621105f585c67899cf8051c9f6407554090298ce499fc7131966dae298760aca5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec3247cf6aac7122867aeaa1d7113a4

SHA1
ef370220b76da2d1f5142eed0a6289db40d81442

SHA256
8de99413b403a2062aa5a36b8934b39f928fdbb0cece9561368e98a3186f192a

SHA512
30af2e6360149d74628e0d4c89383480b5208f774c817a9e076d0dc3ac0e89e28b5961e379e417609922c928e2e1cd92cc667ff61537d915d7f18169fb0314f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_4B8278BA8F55C23F8BC7CF648BA27BCC

Filesize
400B

MD5
9e5b41f9564976302a98189a4257be3d

SHA1
4e0bc414379b5f43f1248d5a8a88d98e1afabc49

SHA256
ed3ad68823426b3f638f3ff1cca16e709b4563335c88737958c5a89733624fe7

SHA512
dc6584a941f581363494fd54fb058efa2c015918315075e88e3f14ffe27106708e78f214f6949eab7c53ccac58eb1daae549100293d4cb16015c6ed0b1f72523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9

Filesize
408B

MD5
04eda5af136b78752cf187ef2c2b3065

SHA1
9a91480146ead7be35a1eaf73be822dbea63709b

SHA256
b1b8a0894aae684671475bdbe151a8d0ed1c0092381444ea2f3ce461ddade518

SHA512
0e39779deb71ffc63e22b19c0b57949e63d72e79995a9ab172254d87b00fb789b066a517e4b829409d6f9f159f79be6f5fe0862f34d476bbda6f8754e00b91b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab86AF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8809.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE1C.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\1\kvcomm\new_strategy_file_kv

Filesize
3KB

MD5
d6753c28e4755449f48117de4a260136

SHA1
95b793a275defdc74549c97c9a83cbaf2b7b3e55

SHA256
b3ca2cc10ecf502b6c8e45fda0ba12014d283fa038be031926eeaabf4dda8a52

SHA512
f1ecf5b9bc8ed040088c1d30128ba5f4915334107e2dfd98d898d87faaa90ede47ba01f42b69b5b79094bc8fe0e21a02f143e0db18a7b40a33d0d7b7ee635408

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\D3DCompiler_47.dll

Filesize
1024KB

MD5
a20871e237f832e97460d85e88aa8bf8

SHA1
91b1cf63636a10cd080c11bcc7f8a2d8371a5e58

SHA256
a9cd8100730a68dd9092a633f1cd48bf8cd120e17a8511305903f68ed4b717ae

SHA512
3ac0f7fd69bf4400e9ce418c765f69e98b7a7aab528a7be3e96e1c1d4c66a429530dcf66376e0938972aa8876c8e0b2a22a017e2fbe2545b6a392e254581ced0

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
1.6MB

MD5
5b1b3d1a07f22684c4136c65128cc2c4

SHA1
7aa264369cbbb72f5fcdea258a4570857238d675

SHA256
d1d97c8c81bf1dd79192bce405952eb1f5d1628a04334ff6909901f04b1123b0

SHA512
9c9d473ceca28a583bc55fdb05712266e0feffe79d2da93a8035ad1bde8e280e6a6ca8c9d93c728ea52fcf7d734137fa326ee80cfcb88354973f315cee15b9ee

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
2.4MB

MD5
69482a75022f2ed5823dad4b55f18176

SHA1
fb8f4654b9f58afd3e295bb269c1b721cd7ea932

SHA256
5ad675786ffdbb598c01d08b1a5e660c5d2570b6b496b862b1daacd4c88d6608

SHA512
7dcea19dc12dc3d0f4bbe308dcec7fb268c9c0812ed289ec5f3ff3ac695752bde3798d6a36e86d17422c0932733b6acf89ce2497989f0993c855dcfd2c318018

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
1.9MB

MD5
4c563a89737f34ecd96c51060e35a9cf

SHA1
f0481f07acaf502f0a02961b9c3326cfd6584348

SHA256
7bba1dd307b7849c337b634a54e2fe77b21c8355261914e1495a365b057cb4b8

SHA512
19249600016d77339778842d5a894d56f368a182527669d497417ff3b530ec021d214728592ef5b8ad7e4748f253971373511b00274e3fea7e0d1dbbb04bee9d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
1.8MB

MD5
ec0d7e89a1f2393945623f39a447284c

SHA1
43bcc477ea67f7dae9c50c44c310662c0e9ec741

SHA256
98c6e0cbc36ba50e98e61565f0a5d70b5cc2c96f769328b3aab03a1e9f86f108

SHA512
38c39221534bcae1519726fe23abaf41370f1cf09a6c18fb89276798d9ae7e8405325f5f17b8d03dc4df30c82cb56b4aad5eb472b07a30e2ac2ebb8fc8224b3d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
896KB

MD5
7fc2a27fe046023673a7357d5bd39911

SHA1
6ba18cb6aadcedc14636ccfc94286760e718c050

SHA256
aeab4d2f375046134145b955b20a03999097a3df5b94d5ab4edab0010be7530b

SHA512
642163f1ab6877f2bfaeecdbd8df0800e24a915692cb2c47a0f7b9a81273f93f3933bcbd6667e6541d31c19ab54e1fbbf2501ff17616548f493b729591ee4e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
768KB

MD5
603bb31639dce42728caf2978761d0c8

SHA1
eb7111bccb9cd2d3e373c2f27c9da0dae97195d5

SHA256
5897db3113b4b15042a095b66423e9ddfb8f95353ddc72c0ee8d9f07c7b2cae0

SHA512
38668d500e432727f055ae7a4b697314e4e71a523d14ce3f7188ec610658593eb47ca9531352927f42829414a58102a34518af7c97793e90f1310dbc4acf8dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
3.8MB

MD5
ad292c2168e5025d5753ce6571429c0b

SHA1
f2c405140a9f3c7461d600530d344ea349442f65

SHA256
af6392cb274e91761b07c9511ee647869ff7c9f0b7386824cb9b1a231e3a5d22

SHA512
d3c0b842783b51b8170c677fd9cfc3fa360f7a6af00f34b23c54556c2fd68c21cb556b8965719c25e84cad38c62d3cd922f9f35d8558327ed9b33655f55a4c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
1.6MB

MD5
f165563395bc768ee3deed2a8a36e83d

SHA1
e42c19b4cd1f26b822beb1807cbe839b00601f81

SHA256
c8138537dd705767b748f8a1b7db17a536511e5819d6f2a152385f95516f89d3

SHA512
6e43abed2f1955fb01007d32187a348ccf0e910fa20027d800f90174f69e2d82a390f27653f519c9b719724d613e84a0fbb0baa42dde6867f56ac196670e1cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\icudtl.dat

Filesize
192KB

MD5
5de95b1f58d903eabc6056339cf5a89e

SHA1
f243e22a2ea86bfed2e1c0be9c0a8d6d436bb153

SHA256
1bc3cbea66f1f306fc6feb1660b89797bfd7139ed7c511aab4e80ef94b15c972

SHA512
1d71a04b608740661aedcc4c0b59a7740b30bbd1b724e434fe93fb71bdc4052498aa61c1044d095aa3791dd9a866fbf2ab1b444b502e4ce05e094d7c556fe3d9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ilink2.dll

Filesize
1.6MB

MD5
01fcd9e4e00371cec9651269f0b1ab18

SHA1
e8730989137261c37726fda7c7a0d35aed9bd2f2

SHA256
993f2c2432b43ee80492791e3960f878014c96ff417ffcc93942c3db6bc77c08

SHA512
d3ccf22ca5f244353027f5b93160346837e5dcfcaaeeba9b92931acf6610b5ccc204beca13e2f976a5237ddbbcad3414ec9e5b8cd7ff50ccb5ba56e54155e599

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\libglesv2.dll

Filesize
960KB

MD5
2d635959258207e5578da0ce58cd95d4

SHA1
a507990256d9c4620d03a8058a3e3e1aa1cedc37

SHA256
a9900cc794e0f55610fbca57a5599c4307c6faf0388181adf6fc3d020aa76cb2

SHA512
ee0ec39a5c1652d2a0baec110465756fb9a3fb2f625608ee683cadeae59abed719e3e0773f78726561cecfb031c385acee5a158ff4ad721b5137882e67103173

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\locales\zh-CN.pak

Filesize
145KB

MD5
7ebf36270f4d0787c6f0dae9fda6a56b

SHA1
ff90c3665728664d2f7b97f6351b2f07c1893a9c

SHA256
3abb82e958d76e767dfe2ba3ca1b8ee2c4d7de4d347f24ecb3c13f3935203830

SHA512
fbc48c571ebe6ccf68a2a2de1654c0c83e07c46f92e6b28896b9b4e25a451901ac9627546df97716dfb2824673083833d22aa9465290a1126470a9dd0deea928

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\v8_context_snapshot.bin

Filesize
471KB

MD5
a2754ed8547785fb7886ad5ec39f03a5

SHA1
027615a1c8d6e79d487420fbaad5b222e333f6a5

SHA256
1760125a008dfcce4a21529c584aaf537b8284c1633a17d4bb8c5439106182eb

SHA512
cac0263eae2f38659f123c31c600dc9899d7ef3e778dea0d944322fddd3f53d153e87a9869e507a1b1e420305db699167753e72117a637fced5e85abdd38e805

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\wmpf_100_percent.pak

Filesize
192KB

MD5
758c152abcf69a9a04fcbf2f59509327

SHA1
868e98668c90fae28d558564d45044ec673c7559

SHA256
1d25dde1da2050ddfaaebd7421402ae6534aeeea2e40f0660619be26ac195aed

SHA512
17d2344bf9f092c4642fc105a01307e6a18f64a57920b91d2d88c16e963bfd366610be41588d2017a6877641ae71f5a350aa5992cc503f003fb32244d955233d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\wmpf_200_percent.pak

Filesize
192KB

MD5
02322378f5317bea74701ec1e0804987

SHA1
4545c7843522f601c72362a062d74b3b327e4829

SHA256
ec98c876754fe9232096e9e2159c4fb939bd3fb2720833093c4f0b37a5b8df49

SHA512
7603c1fa919da196842893c64a4d00842cce052a7a00354a455f13c09212d56168191118ecee5739e22101cb4206db781fe5eadf55f8a764646f53187a993f60

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\wmpf_resources.pak

Filesize
192KB

MD5
27c9921bb6908a72466a03e73c92bda6

SHA1
f505692b550d98e5c3ee0a430c99cbf03f8308a5

SHA256
cb31ebb8ad1d1d3fd46e56eec52998402f6980c7b13802bd2df5435e5d53e18c

SHA512
7606ea7ea5bf7d1ff7c49a98cd515c0950f516c5ecfdf3b67b28f875afa4dc814dde734ce3a213c9d5d8a65937659003e99cc590090356142f09333d5a62fbf4

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\xweb_elf.dll

Filesize
1.2MB

MD5
1ad43e2f2fead1fbdc1d970f620a65da

SHA1
35b53f4386f823a4afa85b74a8dd9c1af4b5a121

SHA256
dc72df3028edef535744a851fa8f46f868df88932d5374215e34eddce4bc86c9

SHA512
83cf82d4d6a7b2770048240052899a29b1b9907457a16ededb2a7e4266ac8d8e72538fd7a77e2cb0d0bb4d10d20094158e08b80b8e7ded0aad21c3548e639ce8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash\settings.dat

Filesize
40B

MD5
8f28b13f2d26413a87c87d3ff2ead520

SHA1
c29c84cee542006065fb91154d7ff54a7f8498d4

SHA256
bd3da496764e522ce11dc725900a7484ac0e736e04359b80043054e07f190e89

SHA512
8dcd353355edfb7d14a445c51a75d79efc6a3395a844937bdf093b51306d30c6a8aa77ca39c32e2398da1335d16a5dbcba59d7fbe9e9b9c4216b13e634011669

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\log\MM_20240316.xlog

Filesize
65KB

MD5
4c4b5cd2dd2414e267f978adbba25ee9

SHA1
ffe83453d68dd49ddc4dadc4c39918e51676bdcb

SHA256
c64fe501e9d1be6f53d21c2085e6a4e84fdfd6925d1e81d429d5bca4fea46413

SHA512
dc29bea63f382d3116bb49606d96de58a9610b4fa728b61d143306aba91fb592220ddff2e7742468365e2cd22b5f74583984e7cb65c0c09bb95b5e929f9b0a56

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\host\wmpf_host_export_x64.dll

Filesize
2.2MB

MD5
e479c9b7f445f62e512dca0b671fddba

SHA1
20a0df44d91a5e3b9bb8e422946f343d4f82df61

SHA256
c9c85a4136cfd3a06cf15d1fa59e0ae0343cab03986bec5cf4456402d8eb3b3c

SHA512
0a1606ec5a794f1c1b4b28e3161cc142999d09f4bc8ffbd241b4c42bba562048a0653857ae1b2f70cde6691e7ce4b78a2201fbf540c3ca4c64a4f64d7887b1fe

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ComponentVerification.dll

Filesize
179KB

MD5
2d39b287fc2e07a9f26620c5173b41b8

SHA1
5cb471dea1a7087f5b6735ff8f43f9f27d32a061

SHA256
28e883c76d68de23f0a2aaaaf8458e490c54d6874e33594b8fbf7e44f099270b

SHA512
6e37dfa78c40ce8fd58edf237cf26c4d100f19970fdda8c0cb2cb95718ebba284c1e1ea481335f8270b9ecf015757f206b74de6c83a5c7e409e89b214abb064c

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
1.5MB

MD5
3f668a4d2446bb2df01072774ad98189

SHA1
e98422ed963b0de0025456befe3ccd1874169078

SHA256
c12853f197687bcf03ec7898712db246dd9357a687e62e6e2684d704f9752d12

SHA512
7f06dde67b0356675284fd755c3cb01e30eb671b2a41455dbe174175cf5a144eafbeb1cb5d0735f9dfff43a2bbc20f1e3d08866068937c97ac01e3e717b77800

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
1.8MB

MD5
ecac51625b0aa6ddedf6758f20f532b1

SHA1
314de8d4e1a6fb21a551e9e74972f8811b27cd20

SHA256
f644e23c9661b8f4f46c752a0a94371c37cc029286504fe82a0e6a6f8646462e

SHA512
37f787a1c5c30bd786054517d80a569372bbe75ad2e3973892c1be4720f2f654cd95ec967706f72e385092838381fa2323202270a44bec810ce64c01b15331e2

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
841KB

MD5
f2bedc2d656a76c071d20f785d983b01

SHA1
052e0c548678ba597a3691132a0cb3b88a6ceaea

SHA256
71b23cdcbda75b6ad6b51601b83fe4e2a5e3d7e5493e7011acd2d48a836d3199

SHA512
10ae7f4f0d3fcd9dcfd8cb2e42840a030a1e0541a87870d6a70474548031af253a92b282d6cdec7ac1d8b09c4fdaff2213aa6394b392dcbfd5d0c31cf156a370

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
2.5MB

MD5
2ad507c8afbff95578b1221be63c8985

SHA1
d7273c9478664195e31a0edda2f925e9e19671a4

SHA256
b7efe9b65892203fabac622e5beab9b35457d7c2f1f2a55ca49c15f36076dff7

SHA512
9d46d19856c4f3131f0fa72f3d438ea218e22f20affcd1f3562d63d32cb86b2f10faf71ecaef9920a343f47a306b8496762bba9dcc1de0f5da15ba63e3842e49

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WXAMSDK.dll

Filesize
1.8MB

MD5
fff78c54cd6a122c374797513fdb786a

SHA1
7a074950e9474ab616c272db9fc52d5d5897dc6c

SHA256
f46afa90b917fbb9b1a5da229fad43770ecaac9e47d96a8acdcdc23ccbce0457

SHA512
e62674e407318d4e072f767343e033ae5bc8f44e90a8302d778b32ae99acc96cc6bbe6f2fed5f50c3f174184ac9d34d7b349671a99b306827cf0258f870fb6e3

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\WeChatAppEx.exe

Filesize
2.2MB

MD5
683b6b0a95409e5768e2ced18ff7be44

SHA1
ea123e90ba89439c2be77121c5369e7d6c1a3620

SHA256
65f2456e97649c04e5af84688473150e83c105452cbd34af04b9f2b76e83b825

SHA512
18bfa839110d7ffb3ecf9ed398cc98e5c949ab421001d4fb3d7f11c9b7c773ccb13f82c407ec87278feb604a3a292e30368b0ded3bf0bdac4348bd38e210da29

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\d3dcompiler_47.dll

Filesize
960KB

MD5
af55bfedb14dddb020b64c3fc2eb00f1

SHA1
21b3aa2f7f3eea0e5a0302b62dbb51cdd574fca2

SHA256
d832c10f0d6a5f8982bcad2eb526c8a85312a762ef29d11dc6d88d8fb21ff04c

SHA512
58e0467d67aa5a338ff87084de5594ed63535795386b096f4b51b612959b0674f99e486aec351aa7b5c617466bbb5ea7229b1ed672fec40f825b614eb39a0c78

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
1.8MB

MD5
2fef7ad92f3eff0a33c4287714beef9e

SHA1
41b51ebec4d279a26c72e405762890c355ae5717

SHA256
007a74ba730d439ddc0478460736b756348060eab9e9bf6e226e56f9d04fc1e7

SHA512
f91ebc6f9fd5beb147b78d68e75e2a526a7a46c46ed16f72a64919c26d06fc51620af7c344570a3dbb7aa523fd301be23819bf071cfcf6c39bdaa74bf749db0f

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
1.9MB

MD5
10347993fb08b55ea5e7ce19c0b68333

SHA1
33d405cba1aad2377d08c5c75e156ec18a84bc2f

SHA256
f993d1b85779b199cf31baaad22f3faf37a6b5f5caccc7e7bdffb31c3d323f77

SHA512
c2b8d67207776bea97de14bf54450a334a1588073b5ef0110b674d2bdf2fd69a106f867f21df54cc09f5906a8c06d3d1dc125b59c14bc4de738377ad7acbbb23

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
896KB

MD5
eae6e1ae22ef3497acb42e7c79c8a5a0

SHA1
074e234d95fbf20f67163de15de703aa451cd12d

SHA256
2829a1f7de5ae325b0611f2bac894a76e96aab29bb6b105f97e83202dca79e41

SHA512
56c845d255401f6e7f3dde876ce890d4f614ca19e1521ece5db3016b7451b6cb4a97b4904afaa84af6bf28d78a4eaaa825da86593111b77e42f74e1a15e3fb45

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
384KB

MD5
80b0b180cb4e8aea4a65d20ec6d1f5a4

SHA1
a7661db4da6f3691d564f44e5ae12b3bb5d87378

SHA256
09b0f62efc85e91f598e7dad0d17f78b9ce027cea0aa667a356dfb2da0eaf035

SHA512
5e07318d63d39456cb70fca4e2d8e7fea793c117231519f50789535da50bac3bf4573c09cd58fa842bc2189c8c6a0936a76421322868a48d2b9d0933efbb2edb

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ffmpeg.dll

Filesize
1.9MB

MD5
17fc954dbac633e6a32357d90f1fef65

SHA1
a8a5967046b66e92cb5831b224a56395bd7885ce

SHA256
367f7f7e7010fcfb64674303ecc0523720faf62239461a3db9c286f11642d0a8

SHA512
23c25740d4ece3da5129cb6b91c771dae7a7e43c869e5dca63b7cca47f8bb4b9ff80ffbd92aa8e86b13dd6e915e2e5468f682385b06de9b05d72def193f4e421

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ilink2.dll

Filesize
1.5MB

MD5
0a874bb0601dd6b4295fe336cf324b07

SHA1
800a1e78f0558e8ce5113f130589086ea3769948

SHA256
6ee9f1be9ccb06087cd5df0c56f0a52eeca6cc2b9475f63abf8d33307ee06cec

SHA512
b653f8bb30349bd31921e2642dfe51feefe80f555763ec622a2349ca21eacf2f952d7c95e3a0b8be002e1e1e0bcecb04a1022ffa47a552254f0e62f981e4e9e7

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ilink2.dll

Filesize
832KB

MD5
3f747d7a441f0116fdb0332c29341bce

SHA1
cc97a9ffcd66a036cf4f44e76cb05e6f4afa2f87

SHA256
1758ae18e0f78e1a9f8bf763207a87d61dc81c82239236e9902a9ba7c52f9598

SHA512
1bf56074d5c5c7fcdee5ae1cf072330f1837a64bab635d8854320c4641d71405231fb5d95c8428ae972c7e7131f4f51d3e726fe1876a96e4037782cc76d4726c

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\ilink2.dll

Filesize
1.8MB

MD5
797baefdb29b5d4f16dfb2341d536f2f

SHA1
d9ff63e928a92b82d25f14891ac5a830920cba92

SHA256
21af7ebca91e50fb1052359f31d5cf6d820e9e29859cc7b0687a217bc6a744b1

SHA512
e1a179754f13b1061d91ba3f0f633ece589eae5eedc4e3b658dfe24af3b944fb7089eee0fd9f40d09ac727e06819ee4a42760e8d5c068c0bc05d5b3926f0a878

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\libEGL.dll

Filesize
455KB

MD5
9b9728cd955f5b8794f1e36f8acd896f

SHA1
9aa0d34ad7dd878fa515f1d438d4bec682408451

SHA256
a41d39af4a544b68590e42d2880c65360893e3552a4262fa6648833b65674c05

SHA512
cdb77bd5f1e10e3178a7facd07a40e227a5d4dd6f3966002f6944e13da5ca58c5761ba29e4ab0521f2e2825da601307d84139845ce444a61ecaa11bda8c23cc7

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\libGLESv2.dll

Filesize
917KB

MD5
f7ef6a9ebd4affd42dd29ce9e980816d

SHA1
41bbb0524a7f58cae0229baaa03a7b78fe04b851

SHA256
d0a5a9b45d751c081bcbcf3337b78699427e25b8b1ce1a5f536c340ced27dd28

SHA512
87b0fbd659b709ee483dbe73e73a95ec01055eb5fa07ba677a16d5ffd0183ab847818fc5c1ba9b1e6b0b29d1ada8dc7c108a224e3a5ed770bc364876256f3f08

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\owl.dll

Filesize
1.1MB

MD5
d353168c039c511e68371cbf169b8e68

SHA1
7df9f380696fc53dfcfe48a2075eda2a09bdcf10

SHA256
2cba0285a261ee54beba45e00c4494117d675c72f79a6b2757b1be040a3dc58f

SHA512
6ad5f63e3bb6743982868d50c6b91220c30df990a5e10cef03dc33ac97301b17b06a2f43e77999cdb34b71f15884290cdea99b5bfd6950a06ced2bbb69b6ab0a

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\owl.dll

Filesize
768KB

MD5
9fa06302db84eb0a642352d9691744a8

SHA1
aa5bdf7f19beca0d530d642fd01f53c3c8f20084

SHA256
f22bef26dc95b961358ea8986af1b094b7b083888fb24186a2211f27d6c136f8

SHA512
a9a4612945cb6264a163cbacfb56a17b41b9ab65a154fc05f5e7aa7318a9e66fc59e226c6e77f8ae09f41da5256a32b7dce3e77b9074d78397403a00d5e0851d

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\owl.dll

Filesize
832KB

MD5
5b1e2e2f4a28f8ab5177adf78165c3b5

SHA1
ff58e2c703d21ad8f91b3246a90890d4f3c6ea75

SHA256
b3766106e9efd2d250c4ee5cc543d62f73c2059e8b14992d609458b591aa1f38

SHA512
90215e49149fe5b926f6f47d60f4f1427fcdd36d299fe3d4c0a7606cd1a3035b2269ccdcd1518ae237bd6595d7eaf050ff422c0d71a82c43f5885ee57c7cd632

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\xweb_elf.dll

Filesize
896KB

MD5
b939b779217fe3cbd9f9e585569b42e4

SHA1
bca3efaa9cebecf9a0e6f924315ac2782d6b6d5c

SHA256
940b22b0e860e626cb7bd5bdc4c635f8e74a8b8c181f7885ab00dd56cc7add1e

SHA512
1116d363b691f00b2119653eef97e5443564cc6611197a564ba0cfc8459d613b88649cc5db5c5be96c1f6a17121509f83b929144c6003e7caefb02d50d04ddf0

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\8555\extracted\runtime\xweb_elf.dll

Filesize
384KB

MD5
f9cd6dddbf38ddc992b24474f7b58b6b

SHA1
99e3fea2555642bf75fffd23f14c607347e2b8fa

SHA256
bc135a8b93b584434422bbc97eec9bb80d344106d4fc1bc5eaac0e9122e59e7b

SHA512
0f7bb77ead66f91159c461b7a146a5cd1e1a474052a0bac45978f42fda6b1d72a594016fc80d665695bd547c87e221c97da44ff2f8b3cf976d1b7573bc06af23

Download Submit
memory/612-180-0x000007FEBCEB0000-0x000007FEBCEC0000-memory.dmp

Filesize
64KB

Download
memory/1720-348-0x0000000076F60000-0x0000000076F61000-memory.dmp

Filesize
4KB

Download
memory/1720-272-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download